Semantic Kernel 1.76.0 Ships a Security-Heavy .NET Patch After Microsoft’s Prompt-Injection RCE Research

Semantic Kernel 1.76.0 is the kind of release that looks boring until you read it with the right threat model. Microsoft did not ship a new agent abstraction here. It shipped path validation, OpenAPI escaping, gRPC address allowlists, cloud-drive defaults, upload-directory controls, and dependency vulnerability updates. In other words: the work you do after you stop pretending prompt injection is a chat problem and start treating it as an execution problem.

The timing is not subtle. Four days before this release, Microsoft Security published a research post with the headline-level warning every agent platform team should have printed above their tool registry: “The AI model itself isn’t the issue” when it parses natural language into tool schemas. “The vulnerability lies in how the framework and tools trust the parsed data.” That sentence is the whole beat. Once an agent can touch files, URLs, cloud drives, OpenAPI endpoints, or gRPC services, every model-influenced argument is attacker-controlled input until proven otherwise.

Semantic Kernel’s .NET 1.76.0 release is a direct engineering response to that reality. The changelog includes CloudDrivePlugin hardening, OpenAPI plugin input validation, gRPC plugin address handling, DocumentPlugin path-validation ordering, deny-by-default upload directories, and package updates for known vulnerabilities. GitHub’s release API shows the tag was published on May 11 at 09:37 UTC, and the repository remains a major agent-framework surface with roughly 27,000+ stars. This is not a niche library quietly tightening screws. It is one of the frameworks Microsoft itself described as part of the “operating system for AI agents.”

The useful fix is not “better prompting.” It is less reachable authority.

The CloudDrivePlugin changes are the clearest signal. PR #13958 changes share-link defaults from anonymous to organization scope, adds path validation for share operations, improves path canonicalization, and includes regression tests. The surrounding release also adds deny-by-default AllowedUploadDirectories to CloudDrivePlugin via #13953. That is the right default posture. If a model can influence which path gets read, uploaded, or shared, then anonymous sharing is not a convenience feature. It is a data-loss primitive waiting for the right prompt injection.

The specific details matter because path validation is where many security claims go to die. Normalizing remote paths, rejecting traversal patterns such as /Documents/../Confidential/secret.docx, and handling UNC-style edge cases are not implementation trivia. They are the difference between “we check paths” and “we check the path the operating system or remote service will actually use.” Engineers have learned this lesson repeatedly in web apps, ZIP extraction, file uploads, and static file servers. Agent frameworks are now relearning it under model-controlled input.

The DocumentPlugin fix follows the same rule. PR #13956 canonicalizes file paths by expanding environment variables and resolving absolute paths before validating against AllowedDirectories. That ordering is the whole bug class. If validation happens before canonicalization, the check may approve a string that becomes dangerous after expansion or path resolution. The plugin also moves environment-variable expansion out of the lower-level file-system connector, which is good layering: policy belongs where the decision is made, not hidden in a helper that changes the path after the guardrail has already nodded it through.

OpenAPI and gRPC tools need destination control, not model trust.

The OpenAPI plugin hardening in #13962 is just as important for teams turning internal APIs into agent tools. The patch strengthens validation for server-variable substitution and path parameter handling, including escaping LLM-supplied OpenAPI server-variable values and rejecting dot segments introduced through path parameters. That sounds narrow. It is not. OpenAPI is the shortest path from “we already have APIs” to “the agent can operate our business systems,” which means sloppy URL construction becomes agent SSRF, traversal, or unauthorized internal reachability.

gRPC gets the same treatment. PR #13961 adds GrpcFunctionExecutionParameters so developers can control address handling, including optional address overrides, allowed base addresses, and scheme restrictions. The important phrase is “developer-controlled.” The model should express intent; the application should constrain destinations. If an agent chooses the endpoint, the method, and the payload with insufficient policy around all three, you have not built a tool. You have built a polite request smuggler.

This is where Microsoft’s May 7 research post is useful context rather than marketing garnish. The post described prompt-injection-to-RCE flaws in Semantic Kernel and framed the broader issue plainly: frameworks map model outputs to system tools, and a single vulnerability in that mapping layer can carry systemic risk. The disclosed examples were fixed, but the lesson is larger than those CVEs. Prompt injection becomes serious when the parsed model argument flows into a privileged sink — a file path, shell-adjacent operation, plugin call, network address, cloud-drive share, upload directory, or API URL.

Semantic Kernel 1.76.0 does not claim to “solve prompt injection.” Good. That would be unserious. Instead, it reduces the blast radius by making dangerous operations narrower, more explicit, and less default-permissive. That is the mature move. You do not stop SQL injection by telling users not to type apostrophes; you parameterize queries and constrain permissions. Agent frameworks need the same boring discipline.

Dependency patches are part of the agent boundary too.

The release also updates Kiota packages for a NU1903 vulnerability and bumps Snappier to 1.3.1 to address GHSA-pggp-6c3x-2xmx. These are easy to skim past because they are not agent-specific. Skipping them would be a mistake. Agent frameworks accumulate dependencies across model clients, OpenAPI generators, document connectors, vector stores, serializers, transport libraries, telemetry, and plugin ecosystems. The supply chain is not adjacent to the runtime. It is the runtime.

For practitioners, the action item is not merely “upgrade,” though yes, upgrade if you expose Semantic Kernel .NET agents to documents, cloud drives, OpenAPI plugins, gRPC plugins, or uploaded files. The real action item is to use this release as a review checklist for every custom plugin in your stack.

Start with paths. Canonicalize before validation. Test traversal before and after environment-variable expansion. Include UNC paths if you run on Windows. Make allowed directories deny-by-default and explicit. Then look at network destinations. If a model-influenced field can alter a host, scheme, base path, server variable, or route parameter, escape it, validate it, and constrain it against an allowlist. Do not rely on the model to “choose the right internal service.” Models do not own your network policy.

Then audit sharing and upload behavior. Anonymous-by-default sharing is hostile to agent safety. Upload directories should be explicit. Read scopes should differ from write scopes. A tool that can read broadly and write broadly is not flexible; it is overprivileged. Finally, test observability around rejected tool calls. A denied traversal attempt should be visible in logs or traces, not disappear as a vague tool failure. If you cannot distinguish “bad user input” from “prompt injection tried to cross a boundary,” incident response will be mostly vibes.

The broader pattern is what matters. Agent security is moving out of blog-post theory and into framework maintenance: deny-by-default paths, canonicalization order, escaped server variables, destination allowlists, dependency CVEs, and safer plugin defaults. That is less exciting than a new multi-agent orchestration demo. It is also what makes those demos survivable in production.

Semantic Kernel 1.76.0 is worth attention because it shows the industry’s center of gravity shifting. The next trustworthy agent framework will not be the one with the cleverest prompt wrapper. It will be the one that assumes tool arguments are hostile, makes authority explicit, and treats every plugin boundary like production infrastructure. LGTM — but only if teams actually upgrade and copy the pattern into their own code.

Sources: Microsoft Semantic Kernel GitHub release, Microsoft Security, PR #13958, PR #13962, PR #13961, PR #13956