CVE-2026-26030: GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable

Overview

Severity

Critical (CVSS 9.9)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Mar

Released

2026-03-10

Last Updated

2026-03-12

EPSS Score

0.10% (percentile: 27.7%)

Description

CVE-2026-26030 is a Remote Code Execution vulnerability that has been identified in Microsoft Semantic Kernel Python SDK, specifically within the InMemoryVectorStore filter functionality. GitHub created this CVE on their behalf. GitHub created this CVE on their behalf. This document incorporates updates in the Microsoft Semantic Kernel Repository which address this vulnerability. Please see CVE-2026-26030 for more information.

FAQ

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. How could an attacker exploit this vulnerability? An attacker would need to reach an application that uses the vulnerable Semantic Kernel Python SDK and allows users to submit filter strings (for example, as part of search or query options) over the network. By sending a specially crafted filter value to such an application, the attacker could cause their code to run on the server with the application’s permissions, without needing to sign in or rely on any action from another user, provided this functionality is exposed to untrusted input.

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 1 repositories

Affected Products (1)

Open Source Software

• Microsoft Semantic Kernel Python SDK

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/eran-shimony/">Eran Shimony</a> with <a href="https://www.cyberark.com/resources/threat-research-blog">Cyberark</a>, Dor Edry with Microsoft, Amit Eliahu with Microsoft, <a href="https://www.linkedin.com/in/crstaicu/">Cris Staicu</a> with <a href="https://www.endorlabs.com/">Endor Labs</a>, <a href="https://x.com/daridor">Dan Aridor</a> with <a href="https://sprk3.com/">Dan Aridor Holdings LTD</a>, <a href="https://github.com/ka7arotto">ZhangXupeng</a>, <a href="https://www.linkedin.com/in/deniz-g&#252;ney-yıldırım-09a23b150/">Deniz G&#252;ney Yıldırım</a>, <a href="https://x.com/security_index">Yoshizawa</a>

Revision History

• 2026-03-10: Information published.
• 2026-03-12: Acknowledgement added. This is an informational change only.