Описание
Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution
Impact:
An RCE vulnerability has been identified in Microsoft Semantic Kernel Python SDK, specifically within the InMemoryVectorStore filter functionality.
Patches:
The problem has been fixed in python-1.39.4. Users should upgrade this version or higher.
Workarounds:
Avoid using InMemoryVectorStore for production scenarios.
References:
Release python-1.39.4 · microsoft/semantic-kernel · GitHub PR to block use of dangerous attribute names that must not be accessed in filter expressions
Пакеты
semantic-kernel
< 1.39.4
1.39.4
Связанные уязвимости
Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios.
GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable