AI Threat Alert AI Threat Alert

CVE-2026-25592: semantic-kernel: Path Traversal enables file access

GHSA-2ww3-72rp-wpp4 CRITICAL
Published February 6, 2026
CISO Take

Patch now if you're running Semantic Kernel agents with SessionsPythonPlugin — this is a CVSS 9.9 arbitrary file write reachable by any authenticated user over the network with zero user interaction. The scope change (S:C) in the CVSS vector means successful exploitation can break container isolation, turning a compromised plugin into full host access. If immediate patching to 1.71.0 (.NET) / 1.39.3 (Python) is not possible, implement a Function Invocation Filter to allowlist valid file paths as the vendor-recommended workaround.

Risk Assessment

Critical risk for organizations deploying Semantic Kernel-based AI agents. Network-accessible, low privilege required, no user interaction, scope change — this is close to a worst-case CVSS profile. EPSS (0.058%) indicates no active exploitation observed yet, but path traversal primitives in file I/O plugins are trivial to weaponize once the target API is identified. Risk is amplified in multi-tenant SaaS products built on Semantic Kernel where untrusted users have agent access.

Affected Systems

Package Ecosystem Vulnerable Range Patched
semantic-kernel pip < 1.39.3 1.39.3
27.8K 17 dependents Pushed 8d ago 100% patched ~7d to patch Full package profile →
Microsoft.SemanticKernel.Core nuget < 1.71.0 1.71.0

Severity & Risk

CVSS 3.1
9.9 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 21% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

Recommended Action

1 step

  1. 1) PATCH: Upgrade Microsoft.SemanticKernel.Core to 1.71.0+ (NuGet) and semantic-kernel to 1.39.3+ (pip) immediately — no exceptions for production systems. 2) WORKAROUND: If patching is delayed, implement a Function Invocation Filter that validates localFilePath against an explicit allowlist before any DownloadFileAsync or UploadFileAsync invocation — this is the vendor-documented compensating control. 3) DETECT: Alert on file writes outside designated agent working directories; monitor for unexpected modifications to /etc/, ~/.ssh/, cron directories, or application config paths from the Semantic Kernel process user. 4) AUDIT: Enumerate all usages of SessionsPythonPlugin in your codebase and CI/CD pipelines; verify dependency versions across all environments. 5) HARDEN: Run Semantic Kernel processes under a least-privilege OS user and within a restricted filesystem namespace — read-only container mounts where possible, seccomp profiles restricting filesystem syscalls.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Agent Plugin AML.T0049 AML.T0051.001 AML.T0053 AML.T0086 AML.T0101 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.5 - AI System Security A.6.1.2 - AI System Security Controls
NIST AI RMF
GOVERN-1.7 - AI Risk Management — Third-Party Components MANAGE-2.2 - Risk Treatment for AI Systems
OWASP LLM Top 10
LLM06 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25592?

Patch now if you're running Semantic Kernel agents with SessionsPythonPlugin — this is a CVSS 9.9 arbitrary file write reachable by any authenticated user over the network with zero user interaction. The scope change (S:C) in the CVSS vector means successful exploitation can break container isolation, turning a compromised plugin into full host access. If immediate patching to 1.71.0 (.NET) / 1.39.3 (Python) is not possible, implement a Function Invocation Filter to allowlist valid file paths as the vendor-recommended workaround.

Is CVE-2026-25592 actively exploited?

No confirmed active exploitation of CVE-2026-25592 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25592?

1) PATCH: Upgrade Microsoft.SemanticKernel.Core to 1.71.0+ (NuGet) and semantic-kernel to 1.39.3+ (pip) immediately — no exceptions for production systems. 2) WORKAROUND: If patching is delayed, implement a Function Invocation Filter that validates localFilePath against an explicit allowlist before any DownloadFileAsync or UploadFileAsync invocation — this is the vendor-documented compensating control. 3) DETECT: Alert on file writes outside designated agent working directories; monitor for unexpected modifications to /etc/, ~/.ssh/, cron directories, or application config paths from the Semantic Kernel process user. 4) AUDIT: Enumerate all usages of SessionsPythonPlugin in your codebase and CI/CD pipelines; verify dependency versions across all environments. 5) HARDEN: Run Semantic Kernel processes under a least-privilege OS user and within a restricted filesystem namespace — read-only container mounts where possible, seccomp profiles restricting filesystem syscalls.

What systems are affected by CVE-2026-25592?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin systems, code interpretation sandboxes, AI copilot backends, multi-agent orchestration systems.

What is the CVSS score for CVE-2026-25592?

CVE-2026-25592 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

Exploitation Scenario

An adversary with low-privilege access to a Semantic Kernel-backed AI coding assistant — a trial user, a compromised internal account, or an attacker who has obtained a valid API token — sends a crafted agent invocation calling DownloadFileAsync with localFilePath set to '../../.ssh/authorized_keys' and attacker-controlled content as the file payload. The unpatched SessionsPythonPlugin writes the attacker's SSH public key to the host's authorized_keys file, granting persistent SSH access to the underlying infrastructure. In a cloud-hosted multi-tenant scenario, this single request escalates to full control of the agent execution environment and potential lateral movement to other tenant workloads. No UI interaction from a victim is required at any stage.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
February 6, 2026
Last Modified
February 20, 2026
First Seen
February 6, 2026

Related Vulnerabilities

CRITICAL CVE-2026-26030 10.0

semantic-kernel: Code Injection enables RCE

Same package: semantic-kernel
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed