Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.
PUBLISHED5.2CWE-22
Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK
Problem type
Affected products
microsoft
semantic-kernel
< 1.70.0 - AFFECTED
References
https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d
https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d
https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64
https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64
GitHub Security Advisories
GHSA-2ww3-72rp-wpp4
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
https://github.com/advisories/GHSA-2ww3-72rp-wpp4Impact
What kind of vulnerability is it? Who is impacted?
An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin.
Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the SessionsPythonPlugin.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. Users should upgrade to version 1.70.0 or higher.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.
References
Are there any links users can visit to find out more?
github.com
https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
github.com
https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d
github.com
https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25592
github.com
https://github.com/advisories/GHSA-2ww3-72rp-wpp4
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25592Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25592",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-06T20:38:28.770Z",
"dateReserved": "2026-02-03T01:02:46.716Z",
"datePublished": "2026-02-06T20:38:28.770Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-06T20:38:28.770Z"
},
"title": "Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK",
"descriptions": [
{
"lang": "en",
"value": "Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed."
}
],
"affected": [
{
"vendor": "microsoft",
"product": "semantic-kernel",
"versions": [
{
"version": "< 1.70.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4",
"name": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d",
"name": "https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64",
"name": "https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL"
}
}
]
}
}
}