CVE-2026-25592
Unknown Unknown - Not Provided

Arbitrary File Write in Semantic Kernel SessionsPythonPlugin SDK

Vulnerability report for CVE-2026-25592, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-06

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-06
Last Modified
2026-02-19
Generated
2026-07-06
AI Q&A
2026-02-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
microsoft semantic_kernel 1.70.0
microsoft semantic_kernel.core to 1.70.0 (exc)
microsoft semantic_kernel to 1.39.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25592 is a critical Arbitrary File Write vulnerability found in Microsoft's Semantic Kernel .NET SDK, specifically in the SessionsPythonPlugin component. The vulnerability occurs because the software improperly handles pathname inputs, allowing attackers to perform path traversal attacks. This means an attacker can write files outside of the intended restricted directories by manipulating file path inputs."}, {'type': 'paragraph', 'content': 'The issue affects versions prior to Microsoft.SemanticKernel.Core 1.70.0 and semantic-kernel pip package versions prior to 1.39.3. It has been fixed in these versions by adding security controls that validate and restrict file upload and download paths.'}, {'type': 'paragraph', 'content': 'As a mitigation, users can create a Function Invocation Filter to check and allow-list the localFilePath arguments passed to DownloadFileAsync or UploadFileAsync calls to prevent exploitation.'}] [1, 2]

Impact Analysis

This vulnerability allows an attacker with low privileges and no user interaction to remotely write arbitrary files on the affected system. This can lead to severe impacts on confidentiality, integrity, and availability of the system.

  • Confidentiality: Sensitive data could be exposed or overwritten.
  • Integrity: Critical files could be modified or replaced, potentially leading to system compromise.
  • Availability: Malicious files could disrupt system operations or cause denial of service.

The vulnerability has a high CVSS score (9.9 or 10.0 depending on source), indicating it is highly exploitable and impactful.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves improper handling of file path inputs in the SessionsPythonPlugin component of Microsoft's Semantic Kernel .NET SDK, allowing arbitrary file writes via the DownloadFileAsync or UploadFileAsync methods."}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring or auditing calls to these methods, especially looking for unusual or unexpected file paths that attempt directory traversal or write outside allowed directories.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the SDK code, detection on a network or system level might involve:'}, {'type': 'list_item', 'content': 'Reviewing logs or traces of the Semantic Kernel sessions for calls to DownloadFileAsync or UploadFileAsync with suspicious localFilePath arguments.'}, {'type': 'list_item', 'content': 'Checking for presence of versions prior to 1.70.0 of Microsoft.SemanticKernel.Core or prior to 1.39.3 of the semantic-kernel pip package.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but general approaches could include:'}, {'type': 'list_item', 'content': 'Using file system monitoring tools to detect unexpected file writes outside of expected directories.'}, {'type': 'list_item', 'content': 'Auditing application logs for calls to vulnerable methods with suspicious parameters.'}, {'type': 'list_item', 'content': 'Checking installed package versions with commands like `dotnet list package` for .NET projects or `pip show semantic-kernel` for Python environments.'}] [1, 2]

Mitigation Strategies

The primary mitigation is to upgrade to the fixed versions: Microsoft.SemanticKernel.Core version 1.70.0 or later, or semantic-kernel pip package version 1.39.3 or later.

If immediate upgrade is not possible, implement a Function Invocation Filter that validates and allow-lists the localFilePath arguments passed to DownloadFileAsync or UploadFileAsync calls to ensure only safe, allowed directories are used.

Additionally, configure the SessionsPythonPlugin settings as follows:

  • Set `EnableDangerousFileUploads` to false (default) to disable file uploads unless explicitly needed.
  • Define `AllowedUploadDirectories` and `AllowedDownloadDirectories` to restrict file operations to safe directories.

These controls prevent unauthorized file writes and directory traversal attacks by enforcing strict path validation and limiting file operations to approved locations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart