{"dataType": "CVE_RECORD", "containers": {"adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"CRITICAL\"}"}}}], "affected": [{"vendor": "pypi", "product": "semantic-kernel", "versions": [{"status": "affected", "version": "0", "lessThan": "1.39.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/microsoft/semantic-kernel"}, {"url": "https://github.com/microsoft/semantic-kernel/pull/13505"}, {"url": "https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4"}, {"url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26030"}], "descriptions": [{"lang": "en", "value": "### Impact:\nAn RCE vulnerability has been identified in Microsoft Semantic Kernel Python SDK, specifically within the `InMemoryVectorStore` filter functionality.\n\n### Patches:\nThe problem has been fixed in [python-1.39.4](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4). Users should upgrade this version or higher.\n\n### Workarounds:\nAvoid using `InMemoryVectorStore` for production scenarios.\n\n### References:\n[Release python-1.39.4 · microsoft/semantic-kernel · GitHub](https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4)\n[PR to block use of dangerous attribute names that must not be accessed in filter expressions](https://github.com/microsoft/semantic-kernel/pull/13505)"}, {"lang": "en", "value": "Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution"}, {"lang": "en", "value": "Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios."}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "pypi", "dateUpdated": "2026-02-19T17:24:50Z", "x_subShortName": "pypi"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:2.3:a:microsoft:semantic_kernel:*:*:*:*:*:python:*:*"], "vendor": "microsoft", "product": "semantic_kernel", "versions": [{"status": "affected", "version": "0", "lessThan": "1.39.4", "versionType": "custom"}], "platforms": ["python"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/microsoft/semantic-kernel/pull/13505", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx", "tags": ["patch", "vendor-advisory"]}, {"url": "https://github.com/microsoft/semantic-kernel/releases/tag/python-1.39.4", "tags": ["release-notes"]}], "descriptions": [{"lang": "en", "value": "Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios."}, {"lang": "es", "value": "Semantic Kernel, el SDK de Python de kernel semántico de Microsoft, tiene una vulnerabilidad de ejecución remota de código en versiones anteriores a la 1.39.4, específicamente dentro de la funcionalidad de filtro de 'InMemoryVectorStore'. El problema ha sido solucionado en la versión 'python-1.39.4'. Los usuarios deberían actualizar a esta versión o una superior. Como solución alternativa, evite usar 'InMemoryVectorStore' para escenarios de producción."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-A000-000000000003", "shortName": "nvd", "dateUpdated": "2026-02-19T17:24:50Z", "x_subShortName": "nvd"}}}, "cveMetadata": {"cveId": "CVE-2026-26030", "state": "PUBLISHED", "dateUpdated": "2026-03-03T16:32:10Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T17:24:50Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.0"}