PT-2026-6792 · Semantic Kernel+1 · Sessionspythonplugin+1
Amiteliahu
+2
·
Published
2026-02-06
·
Updated
2026-06-29
·
CVE-2026-25592
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Semantic Kernel .NET SDK versions prior to 1.71.0
Agent Framework version 1.0
Description
An arbitrary file write issue exists in the .NET SDK, specifically within the
SessionsPythonPlugin. This flaw allows for path traversal, which can be chained with an architectural trust gap in how AI agents handle autonomous tool calls to achieve remote code execution. When AutoInvokeKernelFunctions is enabled, the framework may treat stochastic LLM output as high-privilege system commands without effective validation. Attackers can bypass security filters using JSON type confusion, Base64/URL encoding, or Unicode homoglyphs to overwrite application source code, such as Program.cs, leading to full host takeover. The issue involves the DownloadFileAsync() and UploadFileAsync() functions and the localFilePath variable.Recommendations
For Semantic Kernel .NET SDK versions prior to 1.71.0, update to version 1.71.0 or higher.
For Agent Framework version 1.0, disable
ToolCallBehavior.AutoInvokeKernelFunctions and switch to manual function invocation.
As a temporary mitigation, create a Function Invocation Filter to verify that the localFilePath variable passed to DownloadFileAsync() or UploadFileAsync() is allow listed.
Implement a manual IFunctionInvocationFilter to enforce path anchoring to a designated safe root.Exploit
Fix
RCE
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Semantic-Kernel
Sessionspythonplugin