ThreatLevelBeta
Planned Fix

CVE-2026-25592

Path Traversal in Microsoft Semantic Kernel
Loading...

Summary

The SessionsPythonPlugin in Microsoft Semantic Kernel’s .NET and Python SDKs exposes file upload and download tool calls that were missing proper path restriction. A low-privilege authenticated user who can influence the agent’s tool inputs could supply traversal sequences and make the app write files outside the intended directory. This is a path traversal flaw that can overwrite host files and lead to data corruption or broader compromise.

Why Planned Fix?

3/6
Authentication required
Mixed internet / internal deployment
No user interaction needed
Not exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
Path Traversal
Is exploitable with default configuration?
No
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Write or overwrite arbitrary files on the host filesystem.

Data Manipulation
Exploitation Requirements
  • Authentication required
  • SessionsPythonPlugin enabled in the application
  • File upload/download tool functions exposed to the agent
Exploitation Process

1) Reach an application that embeds Semantic Kernel and exposes the SessionsPythonPlugin tool functions. 2) Send crafted input that causes the agent to call UploadFileAsync or DownloadFileAsync with a localFilePath containing traversal sequences such as ../. 3) The vulnerable path handling resolves the target outside the intended directory and writes or saves the file there. 4) Exploitation is confirmed when the chosen host file is created or overwritten.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Semantic Kernel (.NET SDK)< 1.71.0
Semantic Kernel (Python SDK)< 1.39.3
Description

SDK for building, orchestrating, and deploying AI agents and multi-agent applications.

Deployment:Mixed (internet/internal)
|
Protocol:HTTPS
|
Ports:
Affected ComponentSessionsPythonPlugin file upload/download handlers used by agent tools.

SessionsPythonPlugin file upload/download handlers used by agent tools.

Affected Endpoints(1)/mnt/data
1./mnt/data
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Add a Function Invocation Filter that allowlists localFilePath values for DownloadFileAsync and UploadFileAsync.

Add a Function Invocation Filter that allowlists localFilePath values for DownloadFileAsync and UploadFileAsync.

github.com
Patch

Not available

Update
Upgrade Microsoft.SemanticKernel.Plugins.Core to 1.71.0 or later; the Python semantic-kernel package is fixed in 1.39.3 or later.

Upgrade Microsoft.SemanticKernel.Plugins.Core to 1.71.0 or later; the Python semantic-kernel package is fixed in 1.39.3 or later.

github.com
Threat Intelligence
EPSS Score0.1%

Probability of exploitation in the next 30 days

EPSS Percentile21%

Worse than 21% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

CVSS Base Score

9.9
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-22 Path Traversal
|
NVD:CVE-2026-25592
|
Version From:
|
Version Upto:

Sources

8
SourceArticle
github.comArbitrary File Write via AI Agent Function Calling in .NET SDK
nvd.nist.govCVE-2026-25592 Detail
osv.devGHSA-2ww3-72rp-wpp4
github.comSemantic Kernel README
github.comPR #13478: Add file upload security controls to SessionsPythonPlugin
github.comCodeInterpreterPlugin sample
learn.microsoft.comSemantic Kernel Filters
tenable.comCVE-2026-25592

Priority History

Planned FixLoading...

Initial analysis