CVE-2026-26030: Semantic Kernel Code Injection

Q: Is CVE-2026-26030 actively exploited?

No confirmed active exploitation of CVE-2026-26030 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-26030?

1. PATCH: Upgrade semantic-kernel Python package to >= 1.39.4 now (pip install 'semantic-kernel>=1.39.4'). 2. WORKAROUND (if patch is blocked): Disable or replace InMemoryVectorStore in all production workloads — use an external vector store without the vulnerable filter evaluator. 3. INVENTORY: Audit all requirements.txt, Pipfiles, pyproject.toml, and container images for semantic-kernel < 1.39.4; run 'pip show semantic-kernel' across AI workloads and CI/CD pipelines. 4. DETECT: Search application logs for filter expressions containing dunder patterns (__class__, __globals__, __builtins__, __import__) or OS command strings. 5. INPUT VALIDATION (defense-in-depth): Reject or sanitize filter expressions at the application layer before they reach the SDK, blocking double-underscore attribute references.

Q: What systems are affected by CVE-2026-26030?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, RAG pipelines, Agentic memory systems, AI application backends, Vector databases.

Q: What is the CVSS score for CVE-2026-26030?

CVE-2026-26030 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 2.85%.

CISO Take

CVE-2026-26030 is a CVSS 10.0 RCE in Microsoft Semantic Kernel's InMemoryVectorStore filter — any app using this component is fully compromisable with only low-privilege network access, no user interaction required. Patch to python-1.39.4 immediately; if patching is blocked today, remove InMemoryVectorStore from all production deployments as a workaround. This is the highest-severity class of AI framework vulnerability: a low-bar attacker achieving full server compromise through your AI's memory layer.

What is the risk?

Maximum severity (CVSS 10.0, S:C scope change). Network-reachable, low complexity, low privileges, zero user interaction — this is as exploitable as it gets. EPSS is currently low (0.089%), indicating no confirmed in-the-wild exploitation at publication time, but the simplicity of Python dunder-attribute sandbox escapes and Semantic Kernel's widespread enterprise adoption accelerates real-world risk. The changed scope means a compromised Semantic Kernel process can laterally affect the full host: credentials, downstream databases, model artifacts, and adjacent services.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Semantic Kernel	pip	< 1.39.4	`1.39.4`
28.2K 27 dependents Pushed 3d ago 100% patched ~7d to patch Full package profile →

Do you use Semantic Kernel? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

2.9%

chance of exploitation in 30 days

Higher than 85% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade semantic-kernel Python package to >= 1.39.4 now (pip install 'semantic-kernel>=1.39.4').
WORKAROUND (if patch is blocked): Disable or replace InMemoryVectorStore in all production workloads — use an external vector store without the vulnerable filter evaluator.
INVENTORY

Audit all requirements.txt, Pipfiles, pyproject.toml, and container images for semantic-kernel < 1.39.4; run 'pip show semantic-kernel' across AI workloads and CI/CD pipelines.
DETECT

Search application logs for filter expressions containing dunder patterns (__class__, __globals__, __builtins__, __import__) or OS command strings.
INPUT VALIDATION (defense-in-depth): Reject or sanitize filter expressions at the application layer before they reach the SDK, blocking double-underscore attribute references.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Auth Bypass Framework Agent RAG AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - Security testing of AI systems A.6.2.6 - Security of AI systems in operation A.9.2 - Information security for AI systems

NIST AI RMF

GOVERN 1.7 - Organizational risk processes for AI supply chain GOVERN 6.2 - Policies and procedures for AI risk MANAGE 2.2 - Mechanisms to address AI risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-26030?

CVE-2026-26030 is a CVSS 10.0 RCE in Microsoft Semantic Kernel's InMemoryVectorStore filter — any app using this component is fully compromisable with only low-privilege network access, no user interaction required. Patch to python-1.39.4 immediately; if patching is blocked today, remove InMemoryVectorStore from all production deployments as a workaround. This is the highest-severity class of AI framework vulnerability: a low-bar attacker achieving full server compromise through your AI's memory layer.

Is CVE-2026-26030 actively exploited?

No confirmed active exploitation of CVE-2026-26030 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26030?

1. PATCH: Upgrade semantic-kernel Python package to >= 1.39.4 now (pip install 'semantic-kernel>=1.39.4'). 2. WORKAROUND (if patch is blocked): Disable or replace InMemoryVectorStore in all production workloads — use an external vector store without the vulnerable filter evaluator. 3. INVENTORY: Audit all requirements.txt, Pipfiles, pyproject.toml, and container images for semantic-kernel < 1.39.4; run 'pip show semantic-kernel' across AI workloads and CI/CD pipelines. 4. DETECT: Search application logs for filter expressions containing dunder patterns (__class__, __globals__, __builtins__, __import__) or OS command strings. 5. INPUT VALIDATION (defense-in-depth): Reject or sanitize filter expressions at the application layer before they reach the SDK, blocking double-underscore attribute references.

What systems are affected by CVE-2026-26030?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, RAG pipelines, Agentic memory systems, AI application backends, Vector databases.

What is the CVSS score for CVE-2026-26030?

CVE-2026-26030 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 2.85%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksRAG pipelinesAgentic memory systemsAI application backendsVector databases

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.3, A.6.2.6, A.9.2

NIST AI RMF: GOVERN 1.7, GOVERN 6.2, MANAGE 2.2

OWASP LLM Top 10: LLM05, LLM07, LLM08

What are the technical details?

Original Advisory

### Impact: An RCE vulnerability has been identified in Microsoft Semantic Kernel Python SDK, specifically within the `InMemoryVectorStore` filter functionality. ### Patches: The problem has been fixed in [python-1.39.4](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4). Users should upgrade this version or higher. ### Workarounds: Avoid using `InMemoryVectorStore` for production scenarios. ### References: [Release python-1.39.4 · microsoft/semantic-kernel · GitHub](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4) [PR to block use of dangerous attribute names that must not be accessed in filter expressions](https://github.com/microsoft/semantic-kernel/pull/13505)

Exploitation Scenario

An attacker with a valid low-privilege account on a Semantic Kernel-based RAG application — a copilot, AI assistant, or semantic search service — submits a crafted vector store filter query containing a Python object-model traversal payload (e.g., referencing __class__.__init__.__globals__ to reach the 'os' or 'subprocess' module). The InMemoryVectorStore filter evaluator processes this expression server-side, executing arbitrary OS commands as the application process user. The attacker immediately exfiltrates environment variables containing LLM API keys and database credentials, establishes a reverse shell for persistence, and pivots laterally across the AI infrastructure to model artifact storage and downstream data pipelines.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.