Three independently-disclosed CVE classes in May 2026 (Microsoft Security Response Center's CVE-2026-25592 and CVE-2026-26030 against Semantic Kernel on 7 May 2026; OX Security's MCP STDIO supply-chain advisory traversing every published MCP implementation regardless of language; the Windsurf 1.9544.26 prompt-injection-to-MCP-registration path) share a single structural property: in the default configuration of 2026 agent frameworks, tool-configuration is treated as data the model is allowed to author, which means the deployer's allowlist is enforced against the configured tools rather than against the model's ability to mutate the configuration. The patch surface is therefore the framework default, not the deployer's wrap. The conventional 2024–2025 enterprise treatment of prompt injection — sandbox the agent's reachable surface at deployment time — is necessary but no longer sufficient. The procurement template for an agent vendor must add five framework-layer attestations (tool-configuration as a privileged operation, runtime enumeration of the tool-configuration surface, configuration-mutation telemetry, coordinated-disclosure record on framework-layer issues, MCP protocol-revision commitment) on top of the deployer-control questions that remain in place.
Claim is scoped to enterprises running production agent deployments on the named framework class (Semantic Kernel, MCP clients including Cursor / Windsurf / Claude Code / internal platforms built on the protocol, and the broader class of 2026 frameworks the Microsoft Security Response Center post identifies as sharing the anti-pattern). 60-day review cadence. Trigger conditions for status changes: (1) a published vendor benchmark showing framework-layer tool-configuration enforcement in default builds above 80% of measured surface across Semantic Kernel, MCP clients, and Windsurf (would move toward Partial because the framework defaults have shifted); (2) a second independently-disclosed framework-layer CVE in the same prompt-injection-to-execution class within the review window (would harden the structural argument and keep Holding); (3) a major 2026 production incident with public post-mortem traceable to one of the three named frameworks (would either confirm or refute the operational implication depending on the specific failure path); (4) the emergence of a framework-vendor-issued attestation programme covering tool-configuration as a privileged operation, with a documented enforcement mechanism (would move toward Partial because the procurement pattern has a tooling answer); (5) Anthropic's MCP working group shipping a protocol-level revision that distinguishes user-authored from model-authored configuration as part of the spec rather than as an implementation guideline (would move toward Partial because the protocol-layer fix is the longer path and its completion materially changes the affected surface).
/holding/AM-157/Embed this claimiframe + oEmbed
The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.
Email-me when AM-157's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.
The claim: Three independently-disclosed CVE classes in May 2026 (Microsoft Security Response Center's CVE-2026-25592 and CVE-2026-26030 against Semantic Kernel on 7 May 2026; OX Security's MCP STDIO supply-chain advisory traversing every published MCP implementation regardless of language; the Windsurf 1.9544.26 prompt-injection-to-MCP-registration path) share a single structural property: in the default configuration of 2026 agent frameworks, tool-configuration is treated as data the model is allowed to author, which means the deployer's allowlist is enforced against the configured tools rather than against the model's ability to mutate the configuration. The patch surface is therefore the framework default, not the deployer's wrap. The conventional 2024–2025 enterprise treatment of prompt injection — sandbox the agent's reachable surface at deployment time — is necessary but no longer sufficient. The procurement template for an agent vendor must add five framework-layer attestations (tool-configuration as a privileged operation, runtime enumeration of the tool-configuration surface, configuration-mutation telemetry, coordinated-disclosure record on framework-layer issues, MCP protocol-revision commitment) on top of the deployer-control questions that remain in place.
About this register
The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.
Recent corrections in Reporting
- AM-008 · Partial · 17 Jun 2026
Source-text figure re-review: Google's 2024 Environmental Report reports a 28% year-over-year increase to 8.1 billion gallons, not the 33% (from a 6.1 billion 2023 base) asserted at publish. The 8.1B 2024 figure and the Microsoft WUE 0.30 L/kWh / 39%-improvement figure are unchanged and verified. Article corrected to 28% and the unsupported 6.1B base removed; the claim text retains the original figure with this correction per the Holding-up protocol.
- AM-132 · Partial · 10 Jun 2026
One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.
- AM-129 · Partial · 10 Jun 2026
One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.
Reviews coming up in Reporting
- AM-063 · Holding · next +9d (27 Jun 2026)
AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…
- AM-061 · Holding · next +9d (27 Jun 2026)
Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…
- AM-003 · Partial · next +9d (27 Jun 2026)
GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…