CVE-2026-25592: Critical Semantic Kernel Flaw (CVSS 10.0) Allows File Overwrite

Microsoft has issued a critical security advisory for developers using its Semantic Kernel .NET SDK, warning of a vulnerability that could allow AI agents to overwrite sensitive files on the host system. The flaw, tracked as CVE-2026-25592, carries a maximum CVSS score of 10.0, indicating that it is both easy to exploit and catastrophic in its potential impact.

The vulnerability strikes at the intersection of AI and system security. Semantic Kernel is a popular SDK used to build “agents”—AI programs that can perform tasks like searching the web, sending emails, or managing files. However, an oversight in one of its plugins has turned this capability into a major liability.

The issue resides specifically within the SessionsPythonPlugin, a component that allows AI agents to execute Python code and manage files. According to the advisory, “An Arbitrary File Write vulnerability has been identified in Microsoft’s Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin”.

The flaw involves the DownloadFileAsync and UploadFileAsync functions. These tools are designed to move files between the AI’s sandbox and the local system. However, they failed to properly validate the file paths provided to them.

This means a malicious actor—or even a confused AI—could direct the agent to write a file anywhere on the server, potentially overwriting critical system configurations or deploying malicious scripts.

The vulnerability affects developers who have built applications using the Semantic Kernel .NET SDK and have enabled the SessionsPythonPlugin.

“Developers who have built applications which include Microsoft’s Semantic Kernel .NET SDK and are using the SessionsPythonPlugin” are explicitly named as the impacted group. If your AI agent doesn’t use this specific plugin to handle files, you are likely safe.

Microsoft has acted quickly to close the hole. The vulnerability has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. Developers are urged to upgrade their NuGet packages immediately to this version or higher.

For those who cannot upgrade right away, the advisory offers a temporary workaround: implemented a “filter” to check the agent’s homework.

“Users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed,” the report suggests. By manually whitelisting safe directories, developers can prevent the AI from wandering into dangerous territory until the patch is applied.

Related Posts:

• Evernote Relaunches as AI-First Note App with Semantic Search and OpenAI Assistant
• Apache Jena Flaws (CVE-2025-49656 and CVE-2025-50151) Expose Semantic Web Apps to File System Compromise
• iOS 26 Password App Gains Major Upgrade: View Full History of Saved Credentials
• Zoom Patches 6 Flaws: DoS, Info Disclosure & XSS Across All Platforms