PT-2026-6792 · Semantic Kernel+1 · Sessionspythonplugin+1

Amiteliahu

+2

·

Published

2026-02-06

·

Updated

2026-06-29

·

CVE-2026-25592

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Semantic Kernel .NET SDK versions prior to 1.71.0 Agent Framework version 1.0
Description An arbitrary file write issue exists in the .NET SDK, specifically within the SessionsPythonPlugin. This flaw allows for path traversal, which can be chained with an architectural trust gap in how AI agents handle autonomous tool calls to achieve remote code execution. When AutoInvokeKernelFunctions is enabled, the framework may treat stochastic LLM output as high-privilege system commands without effective validation. Attackers can bypass security filters using JSON type confusion, Base64/URL encoding, or Unicode homoglyphs to overwrite application source code, such as Program.cs, leading to full host takeover. The issue involves the DownloadFileAsync() and UploadFileAsync() functions and the localFilePath variable.
Recommendations For Semantic Kernel .NET SDK versions prior to 1.71.0, update to version 1.71.0 or higher. For Agent Framework version 1.0, disable ToolCallBehavior.AutoInvokeKernelFunctions and switch to manual function invocation. As a temporary mitigation, create a Function Invocation Filter to verify that the localFilePath variable passed to DownloadFileAsync() or UploadFileAsync() is allow listed. Implement a manual IFunctionInvocationFilter to enforce path anchoring to a designated safe root.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-25592
GHSA-2WW3-72RP-WPP4
PYSEC-2026-531

Affected Products

Semantic-Kernel
Sessionspythonplugin