Skip to content
AM-157
← Back to ledger
Holding·last review17 May 2026

Three independently-disclosed CVE classes in May 2026 (Microsoft Security Response Center's CVE-2026-25592 and CVE-2026-26030 against Semantic Kernel on 7 May 2026; OX Security's MCP STDIO supply-chain advisory traversing every published MCP implementation regardless of language; the Windsurf 1.9544.26 prompt-injection-to-MCP-registration path) share a single structural property: in the default configuration of 2026 agent frameworks, tool-configuration is treated as data the model is allowed to author, which means the deployer's allowlist is enforced against the configured tools rather than against the model's ability to mutate the configuration. The patch surface is therefore the framework default, not the deployer's wrap. The conventional 2024–2025 enterprise treatment of prompt injection — sandbox the agent's reachable surface at deployment time — is necessary but no longer sufficient. The procurement template for an agent vendor must add five framework-layer attestations (tool-configuration as a privileged operation, runtime enumeration of the tool-configuration surface, configuration-mutation telemetry, coordinated-disclosure record on framework-layer issues, MCP protocol-revision commitment) on top of the deployer-control questions that remain in place.

Claim is scoped to enterprises running production agent deployments on the named framework class (Semantic Kernel, MCP clients including Cursor / Windsurf / Claude Code / internal platforms built on the protocol, and the broader class of 2026 frameworks the Microsoft Security Response Center post identifies as sharing the anti-pattern). 60-day review cadence. Trigger conditions for status changes: (1) a published vendor benchmark showing framework-layer tool-configuration enforcement in default builds above 80% of measured surface across Semantic Kernel, MCP clients, and Windsurf (would move toward Partial because the framework defaults have shifted); (2) a second independently-disclosed framework-layer CVE in the same prompt-injection-to-execution class within the review window (would harden the structural argument and keep Holding); (3) a major 2026 production incident with public post-mortem traceable to one of the three named frameworks (would either confirm or refute the operational implication depending on the specific failure path); (4) the emergence of a framework-vendor-issued attestation programme covering tool-configuration as a privileged operation, with a documented enforcement mechanism (would move toward Partial because the procurement pattern has a tooling answer); (5) Anthropic's MCP working group shipping a protocol-level revision that distinguishes user-authored from model-authored configuration as part of the spec rather than as an implementation guideline (would move toward Partial because the protocol-layer fix is the longer path and its completion materially changes the affected surface).

Published
17 May 2026
Last reviewed
17 May 2026
Next review
+59d· 16 Jul 2026
Source piece
Prompt injection just crossed the RCE threshold: what the May 2026 Semantic Kernel and MCP CVEs mean for enterprise AI agent frameworksRead piece →
Permalink/holding/AM-157/
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when AM-157's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: Three independently-disclosed CVE classes in May 2026 (Microsoft Security Response Center's CVE-2026-25592 and CVE-2026-26030 against Semantic Kernel on 7 May 2026; OX Security's MCP STDIO supply-chain advisory traversing every published MCP implementation regardless of language; the Windsurf 1.9544.26 prompt-injection-to-MCP-registration path) share a single structural property: in the default configuration of 2026 agent frameworks, tool-configuration is treated as data the model is allowed to author, which means the deployer's allowlist is enforced against the configured tools rather than against the model's ability to mutate the configuration. The patch surface is therefore the framework default, not the deployer's wrap. The conventional 2024–2025 enterprise treatment of prompt injection — sandbox the agent's reachable surface at deployment time — is necessary but no longer sufficient. The procurement template for an agent vendor must add five framework-layer attestations (tool-configuration as a privileged operation, runtime enumeration of the tool-configuration surface, configuration-mutation telemetry, coordinated-disclosure record on framework-layer issues, MCP protocol-revision commitment) on top of the deployer-control questions that remain in place.

About this register

The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.

Recent corrections in Reporting

  • AM-002 · Not holding · 06 May 2026

    URL state changed. The /the-agentic-ai-revolution-real-world-success-stories-and-strategic-insights-from-2024-2025/ slug now serves a deliberately rewritten retrospective (claimId AM-130, "Agentic AI 2024-2025 retrospective", published 04 May 2026) against audited primary sources. The 28 Apr 2026 redirect to /retractions/ has been lifted to allow that. AM-002 the claim remains Not holding — the original $3.50/dollar + 70% failure-rate framing was withdrawn and is not restored. AM-130 is a separate claim with its own evidence chain. Readers arriving at /holding/AM-002 see the withdrawal here; the article link surfaces the new piece at the URL the original lived at, with this entry as the audit trail.

  • AM-121 · Holding · 2 May 2026

    Klarna walk-back primary-source upgrade — added Siemiatkowski verbatim quotes via Bloomberg-cited-by-Fortune (9 May 2025) and the Uber-style freelance hiring detail via Entrepreneur. Closes the highest-priority evidence gap from the source dossier.

  • AM-115 · Holding · 29 Apr 2026

    Initial publication 29 Apr 2026 — the first Quarterly Claim Review Bulletin. The claim itself is recursive: it asserts that the bulletin will ship quarterly, and the next review (30 Jul 2026) tests whether the Q3 bulletin actually appeared. Status starts as 'up' because the claim is currently true (the Q2 bulletin shipped). The verdict at end of July 2026 will move to Holding, Partial (bulletin shipped but on a delayed cadence), or Not holding (no bulletin shipped). REVIEW: Peter — please verify claim text + cadence wording before removing rewriteInProgress flag.

Reviews coming up in Reporting

  • AM-003 · Holding · next +1d (19 May 2026)

    GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…

  • AM-136 · Holding · next +17d (4 Jun 2026)

    Across the 24-month window May 2024 to April 2026, every major foundation-model provider (Anthropic, OpenAI, Google, AW…

  • AM-020 · Holding · next +31d (18 Jun 2026)

    The 40-60% TCO underestimate on enterprise agentic-AI deployments is not a cost-visibility failure — it is a cross-depa…