Critical RCE in Microsoft Semantic Kernel Python SDK

Executive Summary

A maximum-severity (CVSS 10.0) code injection vulnerability has been discovered in Microsoft's Semantic Kernel Python SDK, the company's primary AI orchestration framework used to build applications powered by large language models. The vulnerability resides in the InMemoryVectorStore filter functionality and allows an authenticated attacker with low privileges to execute arbitrary code on the host system.

CVSS Score: 10.0 (Critical)

Organizations using Semantic Kernel for AI-powered applications should upgrade to python-1.39.4 immediately.

Vulnerability Overview

Root Cause

CVE-2026-26030 is an Improper Control of Generation of Code vulnerability (CWE-94) in the InMemoryVectorStore filter mechanism. The filter functionality does not properly sanitize user-supplied filter expressions before evaluating them, allowing an attacker to inject and execute arbitrary Python code.

Attribute	Value
CVE ID	CVE-2026-26030
CVSS Score	10.0 (Critical)
Type	Code Injection (CWE-94)
Attack Vector	Network
Privileges Required	Low (authenticated user)
User Interaction	None
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High

Affected Versions and Patches

Product	Affected Versions	Fixed Version
Semantic Kernel Python SDK	All versions before 1.39.4	python-1.39.4

Why This Is Critical

Semantic Kernel's Role

Microsoft's Semantic Kernel is the core AI orchestration layer used to build intelligent applications. It connects LLMs (like Azure OpenAI, GPT-4, etc.) to enterprise data and services. Organizations use it for:

AI-powered chatbots with access to internal knowledge bases
Retrieval Augmented Generation (RAG) pipelines using vector stores
Automated workflows that combine AI reasoning with business logic
Enterprise copilot applications

The InMemoryVectorStore Attack Surface

The InMemoryVectorStore is used for semantic search — finding relevant documents based on meaning rather than keywords. The filter mechanism allows developers to narrow search results based on metadata criteria. The vulnerability means an attacker who can influence filter parameters can execute arbitrary code.

Attack Scenario

1. Attacker authenticates to an application built on Semantic Kernel
2. Application uses InMemoryVectorStore for semantic search
3. Attacker crafts a malicious filter expression
4. Filter expression is evaluated without proper sanitization
5. Arbitrary Python code executes on the application server
6. Attacker gains full control of the host system

Exploitation Status

Status	Detail
Public PoC	Not yet available
Active Exploitation	Not yet confirmed
Risk Level	Extremely High — low complexity, low privileges required

While no public exploit or in-the-wild exploitation has been confirmed, the vulnerability's characteristics make exploitation trivially easy once an attacker understands the filter mechanism.

Immediate Remediation

Upgrade Now

pip install semantic-kernel>=1.39.4

If Immediate Upgrade Is Not Possible

Do not use InMemoryVectorStore in production environments
Switch to an alternative vector store implementation (Azure Cognitive Search, Pinecone, etc.)
Restrict network access to Semantic Kernel applications
Audit filter inputs — Implement application-level input validation before passing filters to the vector store
Monitor for anomalous code execution from Python processes running Semantic Kernel

Detection

Behavioral Indicators

Indicator	Description
Unexpected child processes from Python	Code injection spawning system commands
Unusual network connections from SK application	Reverse shell or data exfiltration
File system modifications by SK process	Malware deployment or persistence
Anomalous filter expressions in application logs	Injection attempts in vector store queries

Broader AI Security Implications

This vulnerability highlights a growing trend: AI frameworks introduce novel attack surfaces that traditional application security does not adequately address:

Vector store queries are not subject to the same input validation scrutiny as SQL queries
AI orchestration layers often have broad system access to serve as integration hubs
Semantic search filters are a new class of injection vector unique to AI applications
The rush to deploy AI means many organizations skip security review of AI framework configurations

Key Takeaways

CVSS 10.0 — Maximum severity, trivially exploitable with low privileges
Microsoft Semantic Kernel Python SDK before 1.39.4 is affected
InMemoryVectorStore filter allows code injection leading to full system compromise
Upgrade to python-1.39.4 immediately
AI frameworks are the new attack surface — Apply the same security rigor to AI components as to traditional application code

References

Executive Summary

CVSS Score: 10.0 (Critical)

Organizations using Semantic Kernel for AI-powered applications should upgrade to python-1.39.4 immediately.

Vulnerability Overview

Root Cause

Attribute	Value
CVE ID	CVE-2026-26030
CVSS Score	10.0 (Critical)
Type	Code Injection (CWE-94)
Attack Vector	Network
Privileges Required	Low (authenticated user)
User Interaction	None
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High

Affected Versions and Patches

Product	Affected Versions	Fixed Version
Semantic Kernel Python SDK	All versions before 1.39.4	python-1.39.4

Why This Is Critical

Semantic Kernel's Role

AI-powered chatbots with access to internal knowledge bases
Retrieval Augmented Generation (RAG) pipelines using vector stores
Automated workflows that combine AI reasoning with business logic
Enterprise copilot applications

The InMemoryVectorStore Attack Surface

Attack Scenario

1. Attacker authenticates to an application built on Semantic Kernel
2. Application uses InMemoryVectorStore for semantic search
3. Attacker crafts a malicious filter expression
4. Filter expression is evaluated without proper sanitization
5. Arbitrary Python code executes on the application server
6. Attacker gains full control of the host system

Exploitation Status

Status	Detail
Public PoC	Not yet available
Active Exploitation	Not yet confirmed
Risk Level	Extremely High — low complexity, low privileges required

While no public exploit or in-the-wild exploitation has been confirmed, the vulnerability's characteristics make exploitation trivially easy once an attacker understands the filter mechanism.

Immediate Remediation

Upgrade Now

pip install semantic-kernel>=1.39.4

If Immediate Upgrade Is Not Possible

Do not use InMemoryVectorStore in production environments
Switch to an alternative vector store implementation (Azure Cognitive Search, Pinecone, etc.)
Restrict network access to Semantic Kernel applications
Audit filter inputs — Implement application-level input validation before passing filters to the vector store
Monitor for anomalous code execution from Python processes running Semantic Kernel

Detection

Behavioral Indicators

Indicator	Description
Unexpected child processes from Python	Code injection spawning system commands
Unusual network connections from SK application	Reverse shell or data exfiltration
File system modifications by SK process	Malware deployment or persistence
Anomalous filter expressions in application logs	Injection attempts in vector store queries

Broader AI Security Implications

This vulnerability highlights a growing trend: AI frameworks introduce novel attack surfaces that traditional application security does not adequately address:

Vector store queries are not subject to the same input validation scrutiny as SQL queries
AI orchestration layers often have broad system access to serve as integration hubs
Semantic search filters are a new class of injection vector unique to AI applications
The rush to deploy AI means many organizations skip security review of AI framework configurations

Key Takeaways

CVSS 10.0 — Maximum severity, trivially exploitable with low privileges
Microsoft Semantic Kernel Python SDK before 1.39.4 is affected
InMemoryVectorStore filter allows code injection leading to full system compromise
Upgrade to python-1.39.4 immediately
AI frameworks are the new attack surface — Apply the same security rigor to AI components as to traditional application code

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Affected Versions and Patches

Why This Is Critical

Semantic Kernel's Role

The InMemoryVectorStore Attack Surface

Attack Scenario

Exploitation Status

Immediate Remediation

Upgrade Now

If Immediate Upgrade Is Not Possible

Detection

Behavioral Indicators

Broader AI Security Implications

Key Takeaways

References

Related Reading

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Affected Versions and Patches

Why This Is Critical

Semantic Kernel's Role

The InMemoryVectorStore Attack Surface

Attack Scenario

Exploitation Status

Immediate Remediation

Upgrade Now

If Immediate Upgrade Is Not Possible

Detection

Behavioral Indicators

Broader AI Security Implications

Key Takeaways

References

Related Reading