Description
Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.
Published: 2026-02-06
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Apply Patch
AI Analysis

Impact

Semantic Kernel exposes an arbitrary file write flaw in its SessionsPythonPlugin before version 1.71.0. When an AI agent calls DownloadFileAsync or UploadFileAsync, the localFilePath parameter can be supplied by the caller, allowing a malicious actor to write data to any path on the host system. This leads to the potential of overwriting configuration files or injecting executable code, compromising confidentiality and integrity of the application.

Affected Systems

The affected product is Microsoft's Semantic Kernel .NET SDK, specifically the SessionsPythonPlugin in versions earlier than 1.71.0. The vulnerability is patched in Microsoft.SemanticKernel.Core v1.71.0. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 10 indicates a high severity, but the EPSS value of less than 1% suggests that, as of now, the likelihood of exploitation is low. The vulnerability is not currently recorded in the CISA KEV catalog. Exploitation would require the attacker to supply a prompt or input that triggers the vulnerable agent function calls, so an attacker would need access to the agent invocation context. If achieved, the impact could be serious, potentially enabling code execution or privilege escalation on the target system.

Generated by OpenCVE AI on April 17, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft Semantic Kernel to version 1.71.0 or later, which includes the fix for the arbitrary file write in SessionsPythonPlugin.
  • Implement a Function Invocation Filter that validates and whitelists the localFilePath argument for DownloadFileAsync and UploadFileAsync calls, preventing unintended file system writes.
  • Limit the exposure of the Semantic Kernel SDK to trusted inputs only, ensuring that only authenticated and authorized code can invoke agent functions that involve file operations.

Generated by OpenCVE AI on April 17, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2ww3-72rp-wpp4 Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK
History

Thu, 19 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed. Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft semantic-kernel
Vendors & Products Microsoft
Microsoft semantic-kernel

Fri, 06 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.
Title Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Microsoft Semantic-kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-18T23:32:54.483Z

Reserved: 2026-02-03T01:02:46.716Z

Link: CVE-2026-25592

cve-icon Vulnrichment

Updated: 2026-02-09T15:20:47.779Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T21:16:17.647

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses