Microsoft.SemanticKernel Vulnerability in AIConnector Dependencies
Environment
| Affected Versions | Product |
|---|---|
| < 2026.1.210 | Telerik Document Processing |
Description
Microsoft has disclosed an Arbitrary File Write vulnerability in the Semantic Kernel .NET SDK (GHSA-2ww3-72rp-wpp4). This issue impacts applications that directly use the SessionsPythonPlugin within the Semantic Kernel SDK.
Important:
The vulnerable Semantic Kernel API members (DownloadFileAsyncandUploadFileAsync) exist in the dependency chain, but Telerik Document Processing Libraries do not use them in any way.✅ Telerik Document Processing Libraries are not affected by this Semantic Kernel vulnerability.
There is no exploit path, and no security risk is introduced into applications using Telerik Document Processing.
The following Telerik Document Processing AI package includes the Microsoft.SemanticKernel.Core dependency through a transitive chain:
- Telerik.Windows.Documents.AIConnector (for .NET Framework and .NET 8, .NET 9, and .NET 10 on Windows)—This package references
Telerik.Documents.AI.RAG, which in turn referencesMicrosoft.SemanticKernel.Core.
Solution
Even though Telerik Document Processing Libraries are not impacted, we recommend following general best practices by updating to the latest Microsoft.SemanticKernel version to ensure your overall application environment benefits from the upstream fix.