CVE-2026-25592
Unknown Unknown - Not Provided
Arbitrary File Write in Semantic Kernel SessionsPythonPlugin SDK

Publication date: 2026-02-06

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25592
EUVD
EUVD-2026-5582
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
microsoft semantic_kernel 1.70.0
microsoft semantic_kernel.core to 1.70.0 (exc)
microsoft semantic_kernel to 1.39.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25592 is a critical Arbitrary File Write vulnerability found in Microsoft's Semantic Kernel .NET SDK, specifically in the SessionsPythonPlugin component. The vulnerability occurs because the software improperly handles pathname inputs, allowing attackers to perform path traversal attacks. This means an attacker can write files outside of the intended restricted directories by manipulating file path inputs."}, {'type': 'paragraph', 'content': 'The issue affects versions prior to Microsoft.SemanticKernel.Core 1.70.0 and semantic-kernel pip package versions prior to 1.39.3. It has been fixed in these versions by adding security controls that validate and restrict file upload and download paths.'}, {'type': 'paragraph', 'content': 'As a mitigation, users can create a Function Invocation Filter to check and allow-list the localFilePath arguments passed to DownloadFileAsync or UploadFileAsync calls to prevent exploitation.'}] [1, 2]

Impact Analysis

This vulnerability allows an attacker with low privileges and no user interaction to remotely write arbitrary files on the affected system. This can lead to severe impacts on confidentiality, integrity, and availability of the system.

  • Confidentiality: Sensitive data could be exposed or overwritten.
  • Integrity: Critical files could be modified or replaced, potentially leading to system compromise.
  • Availability: Malicious files could disrupt system operations or cause denial of service.

The vulnerability has a high CVSS score (9.9 or 10.0 depending on source), indicating it is highly exploitable and impactful.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves improper handling of file path inputs in the SessionsPythonPlugin component of Microsoft's Semantic Kernel .NET SDK, allowing arbitrary file writes via the DownloadFileAsync or UploadFileAsync methods."}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring or auditing calls to these methods, especially looking for unusual or unexpected file paths that attempt directory traversal or write outside allowed directories.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the SDK code, detection on a network or system level might involve:'}, {'type': 'list_item', 'content': 'Reviewing logs or traces of the Semantic Kernel sessions for calls to DownloadFileAsync or UploadFileAsync with suspicious localFilePath arguments.'}, {'type': 'list_item', 'content': 'Checking for presence of versions prior to 1.70.0 of Microsoft.SemanticKernel.Core or prior to 1.39.3 of the semantic-kernel pip package.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but general approaches could include:'}, {'type': 'list_item', 'content': 'Using file system monitoring tools to detect unexpected file writes outside of expected directories.'}, {'type': 'list_item', 'content': 'Auditing application logs for calls to vulnerable methods with suspicious parameters.'}, {'type': 'list_item', 'content': 'Checking installed package versions with commands like `dotnet list package` for .NET projects or `pip show semantic-kernel` for Python environments.'}] [1, 2]

Mitigation Strategies

The primary mitigation is to upgrade to the fixed versions: Microsoft.SemanticKernel.Core version 1.70.0 or later, or semantic-kernel pip package version 1.39.3 or later.

If immediate upgrade is not possible, implement a Function Invocation Filter that validates and allow-lists the localFilePath arguments passed to DownloadFileAsync or UploadFileAsync calls to ensure only safe, allowed directories are used.

Additionally, configure the SessionsPythonPlugin settings as follows:

  • Set `EnableDangerousFileUploads` to false (default) to disable file uploads unless explicitly needed.
  • Define `AllowedUploadDirectories` and `AllowedDownloadDirectories` to restrict file operations to safe directories.

These controls prevent unauthorized file writes and directory traversal attacks by enforcing strict path validation and limiting file operations to approved locations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart