Cyber Resilience

CVE-2026-26030

CriticalRCE

Published: 19 February 2026

Published
19 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0291 85.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26030 is a critical-severity Code Injection (CWE-94) vulnerability in Microsoft Semantic Kernel. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26030 is a remote code execution vulnerability (CWE-94: Code Injection) affecting Microsoft's Semantic Kernel Python SDK in versions prior to 1.39.4. The flaw resides specifically in the `InMemoryVectorStore` filter functionality, allowing arbitrary code execution. The vulnerability was published on 2026-02-19 and carries a CVSS v3.1 base score of 9.9, reflecting its critical severity.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a changed scope (S:C), enabling full system compromise on affected deployments.

Mitigation is available via upgrade to version python-1.39.4 or higher, as detailed in the GitHub security advisory (GHSA-xjw9-4gw8-4rqx), release notes, and associated pull request. As a workaround, avoid using `InMemoryVectorStore` in production scenarios.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As…

more

a workaround, avoid using `InMemoryVectorStore` for production scenarios.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: semantic kernel

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Remote code execution via code injection in Python SDK enables exploitation of public-facing applications (T1190), Python interpreter execution (T1059.006), and privilege escalation from low privileges to full system compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-49704Same vendor: Microsoft
CVE-2026-41094Same vendor: Microsoft
CVE-2025-21292Same vendor: Microsoft
CVE-2025-65037Same vendor: Microsoft
CVE-2026-42898Same vendor: Microsoft
CVE-2026-26118Same vendor: Microsoft
CVE-2026-21537Same vendor: Microsoft
CVE-2025-21187Same vendor: Microsoft
CVE-2025-29807Same vendor: Microsoft
CVE-2026-32211Same vendor: Microsoft

Affected Assets

microsoft
semantic kernel
≤ 1.39.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of identified flaws by upgrading the vulnerable Semantic Kernel Python SDK to version 1.39.4 or higher to eliminate the RCE vulnerability.

prevent

Enables restriction or prohibition of the vulnerable InMemoryVectorStore filter functionality in production, matching the vendor's workaround to prevent exploitation.

detect

Supports scanning for and identifying the presence of the vulnerable Semantic Kernel Python SDK versions to enable proactive flaw remediation.

References