← back
CVE-2026-26030

Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution

CVSS 10 CRITICALEPSS 2.9%CWE-94
Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
microsoft · semantic-kernel
public PoCs found1
githubgithub.com/InertFluid/sk-cve-2026-26030-lab1
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/microsoft/semantic-kernel/pull/13505https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx