ThreatLevelBeta
Planned Fix

CVE-2026-26030

Remote Code Execution in Microsoft Semantic Kernel
Loading...

Summary

Microsoft Semantic Kernel's Python SDK has a remote code execution flaw in the InMemoryVectorStore filter functionality in versions before 1.39.4. A low-privileged attacker can supply crafted filter expressions that are evaluated unsafely, causing arbitrary Python code execution in the application process. In affected deployments this can lead to data theft, service takeover, or full host compromise.

Why Planned Fix?

4/6
Authentication required
Mixed internet / internal deployment
No user interaction needed
Not exploitable in default configuration
Public PoC available
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
No
Is authentication needed?
Yes
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary Python code in the application process

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
  • InMemoryVectorStore is used by the application
  • Dynamic or untrusted filter expressions are accepted
Exploitation Process

An attacker targets an application that exposes Semantic Kernel's InMemoryVectorStore filtering to user-controlled input. They send a crafted filter expression that abuses unsafe attribute traversal and reaches builtins or globals, causing the SDK to evaluate attacker-controlled Python code. If the payload succeeds, the code runs inside the application's Python runtime and can be used to execute commands or steal data.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Semantic Kernel Python SDK< 1.39.4
Description

Open-source Python SDK for building AI agents and multi-agent applications with Semantic Kernel.

Deployment:Mixed (internet/internal)
|
Protocol:Unknown
|
Ports:
Affected ComponentInMemoryVectorStore filter expression evaluation

InMemoryVectorStore filter expression evaluation

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Avoid using InMemoryVectorStore in production and do not pass untrusted input into filter expressions.

Avoid using InMemoryVectorStore in production and do not pass untrusted input into filter expressions.

github.com
Patch

Not available

Update

Upgrade semantic-kernel to version 1.39.4 or later.

github.com
Threat Intelligence
EPSS Score0.1%

Probability of exploitation in the next 30 days

EPSS Percentile28%

Worse than 28% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios.

CVSS Base Score

9.9
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-94 Code Injection
|
NVD:CVE-2026-26030
|
Version From:
|
Version Upto:1.39.4

Affected Software (CPE) (1)

  • cpe:2.3:a:microsoft:semantic_kernel:*:*:*:*:*:python:*:*

Sources

6
SourceArticle
nvd.nist.govCVE-2026-26030 Detail
github.comInMemoryVectorStore filter functionality vulnerable to remote code execution
github.comRelease python-1.39.4
github.comPython: refinement of filtering #13505
github.comMicrosoft Semantic Kernel < 1.39.4 – Remote Code Execution PoC
tenable.comCVE-2026-26030

Priority History

Planned FixLoading...

Initial analysis