AI Threat Alert AI Threat Alert

CVE-2026-26030: semantic-kernel: Code Injection enables RCE

GHSA-xjw9-4gw8-4rqx CRITICAL
Published February 19, 2026
CISO Take

CVE-2026-26030 is a CVSS 10.0 RCE in Microsoft Semantic Kernel's InMemoryVectorStore filter — any app using this component is fully compromisable with only low-privilege network access, no user interaction required. Patch to python-1.39.4 immediately; if patching is blocked today, remove InMemoryVectorStore from all production deployments as a workaround. This is the highest-severity class of AI framework vulnerability: a low-bar attacker achieving full server compromise through your AI's memory layer.

Risk Assessment

Maximum severity (CVSS 10.0, S:C scope change). Network-reachable, low complexity, low privileges, zero user interaction — this is as exploitable as it gets. EPSS is currently low (0.089%), indicating no confirmed in-the-wild exploitation at publication time, but the simplicity of Python dunder-attribute sandbox escapes and Semantic Kernel's widespread enterprise adoption accelerates real-world risk. The changed scope means a compromised Semantic Kernel process can laterally affect the full host: credentials, downstream databases, model artifacts, and adjacent services.

Affected Systems

Package Ecosystem Vulnerable Range Patched
semantic-kernel pip < 1.39.4 1.39.4
27.8K 17 dependents Pushed 8d ago 100% patched ~7d to patch Full package profile →

Do you use semantic-kernel? You're affected.

Severity & Risk

CVSS 3.1
10.0 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 28% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade semantic-kernel Python package to >= 1.39.4 now (pip install 'semantic-kernel>=1.39.4').

  2. WORKAROUND (if patch is blocked): Disable or replace InMemoryVectorStore in all production workloads — use an external vector store without the vulnerable filter evaluator.

  3. INVENTORY

    Audit all requirements.txt, Pipfiles, pyproject.toml, and container images for semantic-kernel < 1.39.4; run 'pip show semantic-kernel' across AI workloads and CI/CD pipelines.

  4. DETECT

    Search application logs for filter expressions containing dunder patterns (__class__, __globals__, __builtins__, __import__) or OS command strings.

  5. INPUT VALIDATION (defense-in-depth): Reject or sanitize filter expressions at the application layer before they reach the SDK, blocking double-underscore attribute references.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Auth Bypass Framework Agent RAG AML.T0010.001 AML.T0049 AML.T0050 AML.T0053 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.3 - Security testing of AI systems A.6.2.6 - Security of AI systems in operation A.9.2 - Information security for AI systems
NIST AI RMF
GOVERN 1.7 - Organizational risk processes for AI supply chain GOVERN 6.2 - Policies and procedures for AI risk MANAGE 2.2 - Mechanisms to address AI risks
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-26030?

CVE-2026-26030 is a CVSS 10.0 RCE in Microsoft Semantic Kernel's InMemoryVectorStore filter — any app using this component is fully compromisable with only low-privilege network access, no user interaction required. Patch to python-1.39.4 immediately; if patching is blocked today, remove InMemoryVectorStore from all production deployments as a workaround. This is the highest-severity class of AI framework vulnerability: a low-bar attacker achieving full server compromise through your AI's memory layer.

Is CVE-2026-26030 actively exploited?

No confirmed active exploitation of CVE-2026-26030 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26030?

1. PATCH: Upgrade semantic-kernel Python package to >= 1.39.4 now (pip install 'semantic-kernel>=1.39.4'). 2. WORKAROUND (if patch is blocked): Disable or replace InMemoryVectorStore in all production workloads — use an external vector store without the vulnerable filter evaluator. 3. INVENTORY: Audit all requirements.txt, Pipfiles, pyproject.toml, and container images for semantic-kernel < 1.39.4; run 'pip show semantic-kernel' across AI workloads and CI/CD pipelines. 4. DETECT: Search application logs for filter expressions containing dunder patterns (__class__, __globals__, __builtins__, __import__) or OS command strings. 5. INPUT VALIDATION (defense-in-depth): Reject or sanitize filter expressions at the application layer before they reach the SDK, blocking double-underscore attribute references.

What systems are affected by CVE-2026-26030?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, RAG pipelines, Agentic memory systems, AI application backends, Vector databases.

What is the CVSS score for CVE-2026-26030?

CVE-2026-26030 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

### Impact: An RCE vulnerability has been identified in Microsoft Semantic Kernel Python SDK, specifically within the `InMemoryVectorStore` filter functionality. ### Patches: The problem has been fixed in [python-1.39.4](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4). Users should upgrade this version or higher. ### Workarounds: Avoid using `InMemoryVectorStore` for production scenarios. ### References: [Release python-1.39.4 · microsoft/semantic-kernel · GitHub](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4) [PR to block use of dangerous attribute names that must not be accessed in filter expressions](https://github.com/microsoft/semantic-kernel/pull/13505)

Exploitation Scenario

An attacker with a valid low-privilege account on a Semantic Kernel-based RAG application — a copilot, AI assistant, or semantic search service — submits a crafted vector store filter query containing a Python object-model traversal payload (e.g., referencing __class__.__init__.__globals__ to reach the 'os' or 'subprocess' module). The InMemoryVectorStore filter evaluator processes this expression server-side, executing arbitrary OS commands as the application process user. The attacker immediately exfiltrates environment variables containing LLM API keys and database credentials, establishes a reverse shell for persistence, and pivots laterally across the AI infrastructure to model artifact storage and downstream data pipelines.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
February 19, 2026
Last Modified
February 19, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-25592 9.9

semantic-kernel: Path Traversal enables file access

Same package: semantic-kernel
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed