DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25592: The Agent Inside: Arbitrary File Write in Microsoft Semantic Kernel

#security #cve #cybersecurity

The Agent Inside: Arbitrary File Write in Microsoft Semantic Kernel

Vulnerability ID: CVE-2026-25592
CVSS Score: 10.0
Published: 2026-02-06

In the race to build autonomous AI agents, Microsoft's Semantic Kernel accidentally handed the keys to the castle to the Large Language Model itself. By failing to validate file paths in the SessionsPythonPlugin, the SDK allowed AI agents—manipulated by prompt injection—to write arbitrary files to the host filesystem. This critical vulnerability (CVSS 10.0) turns a helpful coding assistant into a remote code execution engine, proving once again that implicit trust in LLM outputs is a security suicide pact.

TL;DR

Microsoft Semantic Kernel's Python code interpreter plugin allowed AI agents to read and write files on the host machine without path validation. An attacker could use prompt injection to trick the agent into overwriting critical system files (RCE) or exfiltrating sensitive data via directory traversal.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS Score: 10.0 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Attack Vector: Network (Prompt Injection)
  • Impact: RCE, Arbitrary File Read/Write
  • EPSS Score: 0.00097
  • Exploit Status: PoC Available / Trivial

Affected Systems

  • Microsoft Semantic Kernel .NET SDK < 1.70.0
  • Microsoft Semantic Kernel Python SDK < 1.39.3
  • Applications using SessionsPythonPlugin
  • Applications using SessionsPythonTool
  • Microsoft.SemanticKernel (.NET): < 1.70.0 (Fixed in: 1.70.0)
  • semantic-kernel (Python): < 1.39.3 (Fixed in: 1.39.3)

Code Analysis

Commit: 5b27a72

Implementation of python code execution security controls

Added strict path checking and canonicalization logic to python tool execution.
Enter fullscreen mode Exit fullscreen mode

Commit: e696dc7

Refactor SessionsPythonPlugin to use new security controls

Introduced AllowedUploadDirectories and mandatory EnableDangerousFileUploads flag.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Official Advisory and reproduction steps

Mitigation Strategies

  • Update Semantic Kernel SDK to patched versions immediately.
  • Implement strict allow-lists for file I/O operations.
  • Run the Host Application with least privilege (never root/SYSTEM).
  • Use Function Invocation Filters to validate arguments if patching is delayed.

Remediation Steps:

  1. Identify all instances of SessionsPythonPlugin or SessionsPythonTool in your codebase.
  2. Update Microsoft.SemanticKernel to v1.70.0+ (.NET) or semantic-kernel to v1.39.3+ (Python).
  3. Modify initialization code to configure AllowedUploadDirectories and AllowedDownloadDirectories.
  4. Test to ensure .. traversal attempts throw a SecurityException.

References

Read the full report for CVE-2026-25592 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)