Microsoft disclosed a critical remote code execution vulnerability (CVSS 9.8) in the Semantic Kernel Python SDK — the orchestration framework used to build agentic AI applications at enterprise scale. The flaw was patched in the March 2026 Patch Tuesday release.
The vulnerability lives in the InMemoryVectorStore component's filter expression parser. When developers call similarity_search_with_score() or similarity_search_with_relevance_scores() with filter parameters, the component evaluates those expressions unsafely — allowing an attacker to inject and execute arbitrary Python code within the application context.
Any enterprise AI agent built with Semantic Kernel that processes untrusted input through vector search is exposed. Because Semantic Kernel is the orchestration layer beneath the agent, a successful exploit gives an attacker execution in the agent runtime — with full access to the agent's tool permissions, credentials, and connected services. The blast radius is not the application; it is everything the agent can reach.
Immediate action: Update the semantic-kernel Python package to the March 2026 patched release and audit any similarity_search calls that accept external or user-controlled filter parameters.