AI Threat Alert
CVE-2026-26030 is a CVSS 10.0 RCE in Microsoft Semantic Kernel's InMemoryVectorStore filter — any app using this component is fully compromisable with only low-privilege network access, no user interaction required. Patch to python-1.39.4 immediately; if patching is blocked today, remove InMemoryVectorStore from all production deployments as a workaround. This is the highest-severity class of AI framework vulnerability: a low-bar attacker achieving full server compromise through your AI's memory layer.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| semantic-kernel | pip | < 1.39.4 | 1.39.4 |
Do you use semantic-kernel? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade semantic-kernel Python package to >= 1.39.4 now (pip install 'semantic-kernel>=1.39.4'). 2. WORKAROUND (if patch is blocked): Disable or replace InMemoryVectorStore in all production workloads — use an external vector store without the vulnerable filter evaluator. 3. INVENTORY: Audit all requirements.txt, Pipfiles, pyproject.toml, and container images for semantic-kernel < 1.39.4; run 'pip show semantic-kernel' across AI workloads and CI/CD pipelines. 4. DETECT: Search application logs for filter expressions containing dunder patterns (__class__, __globals__, __builtins__, __import__) or OS command strings. 5. INPUT VALIDATION (defense-in-depth): Reject or sanitize filter expressions at the application layer before they reach the SDK, blocking double-underscore attribute references.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
### Impact: An RCE vulnerability has been identified in Microsoft Semantic Kernel Python SDK, specifically within the `InMemoryVectorStore` filter functionality. ### Patches: The problem has been fixed in [python-1.39.4](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4). Users should upgrade this version or higher. ### Workarounds: Avoid using `InMemoryVectorStore` for production scenarios. ### References: [Release python-1.39.4 · microsoft/semantic-kernel · GitHub](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4) [PR to block use of dangerous attribute names that must not be accessed in filter expressions](https://github.com/microsoft/semantic-kernel/pull/13505)
Exploitation Scenario
An attacker with a valid low-privilege account on a Semantic Kernel-based RAG application — a copilot, AI assistant, or semantic search service — submits a crafted vector store filter query containing a Python object-model traversal payload (e.g., referencing __class__.__init__.__globals__ to reach the 'os' or 'subprocess' module). The InMemoryVectorStore filter evaluator processes this expression server-side, executing arbitrary OS commands as the application process user. The attacker immediately exfiltrates environment variables containing LLM API keys and database credentials, establishes a reverse shell for persistence, and pivots laterally across the AI infrastructure to model artifact storage and downstream data pipelines.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H