Semantic Kernel CVSS 10.0 Vulnerability: What You Need to Know

Semantic Kernel CVSS 10.0 Vulnerability: What You Need to Know

On 7 May 2026, Microsoft quietly disclosed two critical vulnerabilities in Semantic Kernel — the official .NET framework that tens of thousands of enterprise developers are using to build AI agents right now. One of them is rated CVSS 10.0.

The official patch in version 1.71.0 addresses the specific vulnerability, but independent security research has found six ways around it. This post explains what the vulnerability actually is, how it works against a real .NET application, what the bypass vectors look like, and what you actually need to do to be safe.

What Is Semantic Kernel?

Semantic Kernel is Microsoft's unified orchestration framework for integrating Large Language Models (LLMs) into .NET applications. It's designed to simplify AI agent development by providing standardized abstractions for prompts, plugins, memory, planning, and LLM interactions.