CVE-2026-26030
Received Received - Intake
Remote Code Execution in Semantic Kernel InMemoryVectorStore

Publication date: 2026-02-19

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26030
EUVD
EUVD-2026-8014
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microsoft semantic_kernel to 1.39.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Microsoft's Semantic Kernel Python SDK, specifically in versions prior to 1.39.4. It is a remote code execution flaw found within the InMemoryVectorStore filter functionality. This means that an attacker could potentially execute arbitrary code remotely by exploiting this issue.

Impact Analysis

The vulnerability has a very high severity with a CVSS score of 9.9, indicating it can have a critical impact. Successful exploitation could allow an attacker to execute arbitrary code remotely, leading to full compromise of confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the Semantic Kernel Python SDK to version 1.39.4 or higher.

As a workaround, avoid using the InMemoryVectorStore filter functionality in production scenarios.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26030. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart