{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25592", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-03T01:02:46.716Z", "datePublished": "2026-02-06T20:38:28.770Z", "dateUpdated": "2026-02-18T23:32:54.483Z"}, "containers": {"cna": {"title": "Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4"}, {"name": "https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d"}, {"name": "https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64"}], "affected": [{"vendor": "microsoft", "product": "semantic-kernel", "versions": [{"version": "< 1.71.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T23:32:54.483Z"}, "descriptions": [{"lang": "en", "value": "Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel\u202f.NET SDK, specifically within the\u202fSessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync\u202f or UploadFileAsync and ensures the provided localFilePath is allow listed."}], "source": {"advisory": "GHSA-2ww3-72rp-wpp4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:20:46.893694Z", "id": "CVE-2026-25592", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:27:59.698Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25592", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-09T15:20:46.893694Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:20:47.779Z"}}], "cna": {"title": "Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK", "source": {"advisory": "GHSA-2ww3-72rp-wpp4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "microsoft", "product": "semantic-kernel", "versions": [{"status": "affected", "version": "< 1.71.0"}]}], "references": [{"url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4", "name": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d", "name": "https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64", "name": "https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel\u202f.NET SDK, specifically within the\u202fSessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync\u202f or UploadFileAsync and ensures the provided localFilePath is allow listed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T23:32:54.483Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25592", "state": "PUBLISHED", "dateUpdated": "2026-02-18T23:32:54.483Z", "dateReserved": "2026-02-03T01:02:46.716Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T20:38:28.770Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel\u202f.NET SDK, specifically within the\u202fSessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync\u202f or UploadFileAsync and ensures the provided localFilePath is allow listed."}, {"lang": "es", "value": "Semantic Kernel es un SDK utilizado para construir, orquestar y desplegar agentes de IA y sistemas multiagente. Antes de la versi\u00f3n 1.70.0, se ha identificado una vulnerabilidad de escritura arbitraria de archivos en el SDK .NET de Semantic Kernel de Microsoft, espec\u00edficamente dentro del SessionsPythonPlugin. El problema ha sido solucionado en la versi\u00f3n 1.70.0 de Microsoft.SemanticKernel.Core. Como mitigaci\u00f3n, los usuarios pueden crear un Filtro de Invocaci\u00f3n de Funci\u00f3n que verifica los argumentos que se pasan a cualquier llamada a DownloadFileAsync o UploadFileAsync y asegura que el localFilePath proporcionado est\u00e9 en una lista de permitidos."}], "id": "CVE-2026-25592", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T21:16:17.647", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64"}, {"source": "security-advisories@github.com", "url": "https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d"}, {"source": "security-advisories@github.com", "url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:26:34.853263+00:00", "value": {"mitigation_remediation": ["Update Microsoft Semantic Kernel to version 1.71.0 or later, which includes the fix for the arbitrary file write in SessionsPythonPlugin.", "Implement a Function Invocation Filter that validates and whitelists the localFilePath argument for DownloadFileAsync and UploadFileAsync calls, preventing unintended file system writes.", "Limit the exposure of the Semantic Kernel SDK to trusted inputs only, ensuring that only authenticated and authorized code can invoke agent functions that involve file operations."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The affected product is Microsoft's Semantic Kernel .NET SDK, specifically the SessionsPythonPlugin in versions earlier than 1.71.0. The vulnerability is patched in Microsoft.SemanticKernel.Core v1.71.0. No other vendors or products are listed as affected.", "description_and_impact": "Semantic Kernel exposes an arbitrary file write flaw in its SessionsPythonPlugin before version 1.71.0. When an AI agent calls DownloadFileAsync or UploadFileAsync, the localFilePath parameter can be supplied by the caller, allowing a malicious actor to write data to any path on the host system. This leads to the potential of overwriting configuration files or injecting executable code, compromising confidentiality and integrity of the application.", "risk_and_exploitability": "The CVSS score of 10 indicates a high severity, but the EPSS value of less than 1% suggests that, as of now, the likelihood of exploitation is low. The vulnerability is not currently recorded in the CISA KEV catalog. Exploitation would require the attacker to supply a prompt or input that triggers the vulnerable agent function calls, so an attacker would need access to the agent invocation context. If achieved, the impact could be serious, potentially enabling code execution or privilege escalation on the target system."}}}}, "created": "2026-02-09T10:49:31.962670+00:00", "updated": "2026-04-17T22:30:29.597281+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$semantic-kernel"]}