Key Findings
- A Sysdig honeypot recorded a scanner probing the PraisonAI vulnerable endpoint 3 hours 44 minutes after public disclosure — the fastest documented exploit-to-scan cycle on an AI framework to date.
- Microsoft disclosed two critical RCE flaws in its own Semantic Kernel SDK (CVSS 9.9), while a third Microsoft CVE in Azure AI Foundry — scored 10.0 — was already exploited in the wild at disclosure.
- Every CVE reduces to one pattern: agent identity is derived from a string the attacker can write — a prompt, a Host header, a decorator, a default boolean, or a path-routed token.
On May 7, 2026, the Microsoft Security Research Center published research titled “When prompts become shells” and disclosed two remote-code-execution bugs in its own Semantic Kernel SDK. The same day, MSRC quietly cataloged a privilege-escalation flaw in Azure AI Foundry’s M365 Agents that was already being exploited in the wild with no patch available. Four days later, researchers disclosed “BadHost” in Starlette — the ASGI framework backing FastAPI, vLLM, LiteLLM, and most production MCP servers.
Five CVEs. Four frameworks. One month. One architectural failure.
The model is not the bug. The model is doing what models do: parsing language into tool schemas. The bug is that the frameworks around the model have built their identity layer out of strings — prompts, decorators, headers, default booleans, path tokens, bearer credentials — and any of those strings can be written, forged, or routed around by an unauthenticated attacker with network reach.
The inflection point nobody scheduled
Gartner forecasts worldwide information-security spending will reach $244.2 billion in 2026, against worldwide AI spending of $2.5 trillion — meaning enterprises are investing roughly 17 times more in AI-amplified security tools than in securing the AI those tools run on. Agentic deployment is outpacing security governance across the industry.
Agent identity built on text is structurally indefensible.
— The thesis OWASP, IETF, FIDO and the SPIFFE community have argued for two years
Why the same bug keeps appearing
Each advisory looks different on the surface — a decorator here, a Host header there, a hardcoded default somewhere else. But strip the framework-specific detail and the shape is identical: the system trusts a string to tell it who is calling. When that string is attacker-writable, authentication is theater.
- Prompt-as-identity: the agent infers authority from instructions it was handed.
- Header-as-identity: a Host or forwarding header selects the trust context.
- Default-as-identity: a boolean ships
trueand nobody flips it.
The fix is not a better prompt. It is cryptographic workload identity — short-lived, verifiable, and bound to the workload rather than to text. That is precisely what the IETF agent-auth draft and the SPIFFE community are building toward, and where certificate-based identity has spent two decades earning its keep.
What security teams should do this quarter
Inventory every agent framework and MCP server with network reach. Treat each as an unauthenticated RCE surface until proven otherwise. Replace string-derived trust with attested, certificate-backed workload identity wherever the framework allows it — and where it doesn’t, isolate the workload as if the auth layer were absent, because functionally it is.
