PT-2026-6847 · Nuget · Microsoft.Semantickernel.Core+1
Published
2026-02-06
·
Updated
2026-02-06
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Impact
What kind of vulnerability is it? Who is impacted?
An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the
SessionsPythonPlugin.
Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the SessionsPythonPluginPatches
Has the problem been patched? What versions should users upgrade to?
The problem has been fixed in Microsoft.SemanticKernel.Plugins.Core version 1.71.0. Users should upgrade to version 1.71.0 or higher.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can create a Function Invocation Filter which checks the arguments being passed to any calls to
DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.References
Are there any links users can visit to find out more?
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Microsoft.Semantickernel.Core
Semantic-Kernel