AI Agent Platform Updates: Mid-May 2026

Microsoft patches RCE in Semantic Kernel, LangGraph ships 4.0.x, ADK for Java drops, and MCP Gateway 1.0 goes stable.

The past week’s agent news is dominated by security. Microsoft disclosed two patched vulnerabilities in its Semantic Kernel agent framework that let prompt injection escalate to remote code execution, the LangGraph ecosystem closed out a round of CVEs with a 4.0.x patch series, and Google shipped ADK for Java 1.0 on top of the May 1st Gemini 3.1 Flash-Lite GA. The tooling layer is maturing fast — and so is the attack surface.

Here’s what shipped, what got patched, and what it means for teams running agents in production.

Microsoft Semantic Kernel: Prompt Injection to RCE

On May 7, Microsoft’s security research team published a technical writeup demonstrating how prompt injection in Semantic Kernel agents can become remote code execution. The headline: attackers can craft untrusted input through chat prompts or external content sources, and unsanitized prompt-derived input reaches a shell tool that executes arbitrary commands on the target system.

The vulnerabilities (tracked as separate CVEs) were disclosed alongside patches for Semantic Kernel. The CERT/CC advisory (VU#431821) confirms the impact: arbitrary command execution triggered via crafted chat prompts. This isn’t a theoretical jailbreak — this is a framework-level design flaw where the boundary between user-controlled text and system-executed commands collapses.

For teams running Semantic Kernel agents: if you have custom tools that accept user-facing input and pass it to any execution environment (shell, API call, file write), audit the sanitization path immediately. The fix exists, but the broader lesson is that every agent framework with tool-calling capabilities now needs explicit input-to-sandbox boundaries.

LangGraph and OpenAI Agents SDK builders aren’t immune. The same class of vulnerability applies to any framework where prompts become tool arguments without an enforcement layer between them and the execution environment. Our earlier CISA breakdown covers the governance posture to prevent this class of breach.

LangGraph: CVE-2026-27794 Patched in 4.0.0, Point Releases Roll

The third LangGraph checkpoint CVE from the April cycle is now resolved. CVE-2026-27794 — a Remote Code Execution vulnerability in LangGraph’s caching layer when applications enable cache backends inheriting from BaseCache with CachePolicy — was fixed in langgraph-checkpoint 4.0.0 (NVD entry).

Since then, LangGraph has shipped two point releases: checkpoint 4.0.2 and 4.0.3, plus a CLI version bump and core 0.6.0 with a @deprecated_checkpoint_multitask flag (GitHub releases). The checkpoint package is now stable at 4.0.x, but teams still on 3.x or running custom BaseCache implementations should treat this as a mandatory upgrade.

The pattern across all four LangGraph-related CVEs from the April-May window is consistent: checkpoint storage is a security boundary. Whether it’s deserialization (CVE-2026-28277), Redis query injection (CVE-2026-27022), cache RCE (CVE-2026-27794), or path traversal (CVE-2026-34070), the vulnerability surface is wherever agent state gets persisted and deserialized. If your architecture treats checkpoint stores as simple key-value caches, it’s time to rethink that assumption.

Google Agent Development Kit: ADK for Java 1.0.0

Google announced ADK for Java 1.0.0 this week, extending its Agent Development Kit — originally released in Python — to the Java ecosystem. ADK is Google’s internal agent framework made public, and the multi-language reach signals that Google views agent building as a general-purpose SDK concern, not just a Python-ML-stack problem.

This matters for enterprise teams because:

• Many back-end services in large organizations are Java-first. Giving agents first-class Java support means teams don’t need to bolt Python agent orchestration onto Java services via REST or gRPC bridges.
• ADK already supports Gemini models natively. The Java version inherits the same model access, including the newly GA Gemini 3.1 Flash-Lite — Google’s highest-throughput, lowest-cost model for agent hot paths (preview deprecates May 25; see our week-2 update for details).

ADK’s architecture — with its session management, tool registry, and agent-to-agent communication primitives — puts it in direct comparison with OpenAI’s Agents SDK and Anthropic’s Claude Agent SDK. The Java port is a strategic move into enterprises that standardize on the JVM.

Anthropic: Claude Code 3.5 and Stability Fixes

Anthropic released Claude Code 3.5 with multi-repository context synthesis — maintaining coherent context across up to 50 linked repositories simultaneously (SkillsLLM, May 9). For teams managing microservice architectures, this means a single coding agent session can refactor across repos while preserving type safety and API contracts. Early adopters report a 60% reduction in cross-service integration bugs.

The May 2026 Anthropic release notes (Releasebot) also document a cluster of stability fixes: stricter auto-mode rules, MCP server configuration hardening in .mcp.json, terminal rendering fixes, and enterprise feedback survey support for Claude Code sessions. The MCP fixes are particularly relevant given the security advisory coverage we published earlier this month — MCP server configuration is becoming a managed surface rather than a file you hand-edit.

MCP Gateway 1.0: A Standardized Routing Layer

The Model Context Protocol community announced MCP Gateway 1.0, a standardized routing layer letting agents dynamically discover and invoke context providers across organizational boundaries (SkillsLLM, May 9). Key details:

• Major integrations include Salesforce, MongoDB, and AWS services
• 200+ pre-built connectors in the official registry
• Enterprise-grade security: credential vaulting and audit logging

Gateway 1.0 is the operationalization layer for MCP. It moves the protocol from ad-hoc server connections to a managed routing fabric — which is exactly what production deployments need when agents call dozens of tools across different providers and internal systems.

What We’re Tracking Next

Four signals from this week’s news:

1. RCE in agent frameworks is a solved problem only after it happens. Microsoft’s disclosure, LangGraph’s CVE cascade, and the CERT/CC advisory all confirm that prompt-to-shell escalation is real and exploitable. The framework maintainers are patching, but teams need to audit their own tool definitions and input sanitization paths.

2. Checkpoint storage is the new attack surface. Every LangGraph CVE from the past month targets the state persistence layer. If you run agents, treat your checkpoint backend the same way you treat secrets management — scoped, isolated, and audited.

3. Language coverage is becoming a competitive axis. ADK for Java joins the OpenAI Agents SDK (Python + TypeScript) and Claude Agent SDK (Python). Agents are moving from research to enterprise infrastructure, and that means multi-language support matters.

4. MCP is moving from protocol to platform. Gateway 1.0 with enterprise security features and 200+ connectors means MCP is no longer something you wire up manually — it’s something you route through.

For the broader picture on agent security posture, see our CISA advisory breakdown and complete framework decision guide. And for the earlier wave of May updates — OpenAI sandboxes, GPT-5.5 Instant, and AWS AgentCore Optimization — read the week-2 platform roundup.