{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26030", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.555Z", "datePublished": "2026-02-19T16:00:55.623Z", "dateUpdated": "2026-02-26T14:44:14.276Z"}, "containers": {"cna": {"title": "Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx"}, {"name": "https://github.com/microsoft/semantic-kernel/pull/13505", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/semantic-kernel/pull/13505"}, {"name": "https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4"}], "affected": [{"vendor": "microsoft", "product": "semantic-kernel", "versions": [{"version": "< 1.39.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T16:00:55.623Z"}, "descriptions": [{"lang": "en", "value": "Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios."}], "source": {"advisory": "GHSA-xjw9-4gw8-4rqx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26030", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T04:55:50.393336Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:14.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26030", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T04:55:50.393336Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:57:43.989Z"}}], "cna": {"title": "Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution", "source": {"advisory": "GHSA-xjw9-4gw8-4rqx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "microsoft", "product": "semantic-kernel", "versions": [{"status": "affected", "version": "< 1.39.4"}]}], "references": [{"url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx", "name": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/microsoft/semantic-kernel/pull/13505", "name": "https://github.com/microsoft/semantic-kernel/pull/13505", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4", "name": "https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T16:00:55.623Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26030", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:14.276Z", "dateReserved": "2026-02-09T21:36:29.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T16:00:55.623Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:semantic_kernel:*:*:*:*:*:python:*:*", "matchCriteriaId": "C6E2587D-AC15-4660-BC94-3B2D03FD88E9", "versionEndExcluding": "1.39.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios."}, {"lang": "es", "value": "Semantic Kernel, el SDK de Python de kernel sem\u00e1ntico de Microsoft, tiene una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en versiones anteriores a la 1.39.4, espec\u00edficamente dentro de la funcionalidad de filtro de 'InMemoryVectorStore'. El problema ha sido solucionado en la versi\u00f3n 'python-1.39.4'. Los usuarios deber\u00edan actualizar a esta versi\u00f3n o una superior. Como soluci\u00f3n alternativa, evite usar 'InMemoryVectorStore' para escenarios de producci\u00f3n."}], "id": "CVE-2026-26030", "lastModified": "2026-03-03T16:32:10.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T17:24:50.487", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/microsoft/semantic-kernel/pull/13505"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.39.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "semantic-kernel", "source": "cna", "vendor": "microsoft"}, "product": "semantic-kernel", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-17T18:03:10.536501+00:00", "value": {"mitigation_remediation": ["Apply the official Semantic Kernel update to version python-1.39.4 or later.", "If an immediate upgrade is not feasible, discontinue use of InMemoryVectorStore in any production environment and replace it with a safe alternative storage solution.", "Review all code paths that supply filter expressions to ensure they do not accept untrusted input, and validate or sanitize such input before it reaches the vector store."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Microsoft Semantic Kernel Python SDK versions preceding 1.39.4 are affected. The issue exists in the InMemoryVectorStore component of the SDK. Upgrading to version 1.39.4 or later eliminates the problem.", "description_and_impact": "Semantic Kernel, Microsoft\u2019s Python SDK, contains a flaw in the InMemoryVectorStore filter function that permits arbitrary code execution. The vulnerability is triggered when malicious input is used to craft a filter, which the store processes and evaluates, leading to execution of attacker-supplied code. The weakness corresponds to code injection as described by CWE-94.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 10, indicating critical severity. EPSS indicates a very low probability of exploitation (< 1%), and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector requires an attacker to inject malicious filter content that the application accepts, which could be provided by a remote user if filter input is exposed. Once exploited, the attacker gains full code execution privileges within the process hosting Semantic Kernel."}}}}, "created": "2026-02-20T10:06:21.874232+00:00", "updated": "2026-04-17T18:15:26.768124+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$semantic-kernel"]}