CVE-2026-26030

Critical

Published: 19 February 2026

Published

19 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As…

a workaround, avoid using `InMemoryVectorStore` for production scenarios.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of identified flaws by upgrading the vulnerable Semantic Kernel Python SDK to version 1.39.4 or higher to eliminate the RCE vulnerability.

CM-7 Least Functionality good match

prevent

Enables restriction or prohibition of the vulnerable InMemoryVectorStore filter functionality in production, matching the vendor's workaround to prevent exploitation.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Supports scanning for and identifying the presence of the vulnerable Semantic Kernel Python SDK versions to enable proactive flaw remediation.

Security SummaryAI

CVE-2026-26030 is a remote code execution vulnerability (CWE-94: Code Injection) affecting Microsoft's Semantic Kernel Python SDK in versions prior to 1.39.4. The flaw resides specifically in the `InMemoryVectorStore` filter functionality, allowing arbitrary code execution. The vulnerability was published on 2026-02-19 and carries a CVSS v3.1 base score of 9.9, reflecting its critical severity.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a changed scope (S:C), enabling full system compromise on affected deployments.

Mitigation is available via upgrade to version python-1.39.4 or higher, as detailed in the GitHub security advisory (GHSA-xjw9-4gw8-4rqx), release notes, and associated pull request. As a workaround, avoid using `InMemoryVectorStore` in production scenarios.

Details

CWE(s): CWE-94

Affected Products

microsoft

semantic kernel

≤ 1.39.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Remote code execution via code injection in Python SDK enables exploitation of public-facing applications (T1190), Python interpreter execution (T1059.006), and privilege escalation from low privileges to full system compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/microsoft/semantic-kernel/pull/13505
Issue Tracking, Patch · security-advisories@github.com
https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4
Release Notes · security-advisories@github.com
https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx
Patch, Vendor Advisory · security-advisories@github.com