semantic-kernel

vdotnet-1.76.0 scope: dotnet Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 23d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ai artificial-intelligence llm openai sdk

ReleasePort's take

Moderate signal

editorial:auto 13d

The dotnet‑1.76.0 release patches the high‑severity NU1903 vulnerability (GHSA-pggp-6c3x-2xmx). Update Kiota packages and bump Snappier to 1.3.1 immediately.

Why it matters: Patch now: the NU1903 high‑severity vulnerability (CVSS unspecified) is fixed in dotnet‑1.76.0; update dependent packages without delay.

Summary

AI summary

GHSA-pggp-6c3x-2xmx and NU1903 high‑severity vulnerability fixed.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Harden CloudDrivePlugin defaults and add path validation Harden CloudDrivePlugin defaults and add path validation Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Harden gRPC plugin address handling Harden gRPC plugin address handling Source: llm_adapter@2026-05-21 Confidence: high	—
Feature
Feature	Medium	Support ImageContent in tool/function results Support ImageContent in tool/function results Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add deny-by-default AllowedUploadDirectories to CloudDrivePlugin Add deny-by-default AllowedUploadDirectories to CloudDrivePlugin Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add ExtraBody to OpenAIPromptExecutionSettings Add ExtraBody to OpenAIPromptExecutionSettings Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Update Kiota packages to fix NU1903 vulnerability Update Kiota packages to fix NU1903 vulnerability Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump Snappier to 1.3.1 to fix NU1903 high-severity vulnerability (GHSA-pggp-6c3x-2xmx) Bump Snappier to 1.3.1 to fix NU1903 high-severity vulnerability (GHSA-pggp-6c3x-2xmx) Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Improve input validation in OpenAPI plugin Improve input validation in OpenAPI plugin Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix DocumentPlugin path validation order Fix DocumentPlugin path validation order Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fall back to ToString() when logging function results with unregistered types Fall back to ToString() when logging function results with unregistered types Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix VertexAI global endpoint URI construction Fix VertexAI global endpoint URI construction Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

Changes:

f2b3c931d1bc43b5630eb16aea24a4fe93d56699 .Net: Version bump 1.76.0 (#13972)
3dd139b2bd4000dd8efc19edd6d3127e17916550 .Net: Harden CloudDrivePlugin defaults and add path validation (#13958)
446c2eff94bcf4539e1528db692352bbbb3628a5 .Net: Improve input validation in OpenAPI plugin (#13962)
b7ae840d65c244b8f72e55ef1a5be8bdb4f31ac7 .Net: feat(connectors): Support ImageContent in tool/function results (#13431) [ #13430, #13419 ]
52d4e5ce857bcdc770eb9ea415e2092aae3fa258 .Net: Harden gRPC plugin address handling (#13961)
73d3c59902914f79d3068a54aaa851d275c91de8 Update Kiota packages to fix NU1903 vulnerability (#13966)
fb10d92d8c9c21d1a0122f53781bd1bee5acd25f .Net: Bump Snappier to 1.3.1 to fix NU1903 high-severity vulnerability (GHSA-pggp-6c3x-2xmx) (#13960) [ #13431 ]
1a5065e5cf25536ffe94ff1fba7713f300c7c9b7 .Net: Fix DocumentPlugin path validation order (#13956)
2a719ca3182f547203f54257f69c47a175fbb3fd .Net: Add deny-by-default AllowedUploadDirectories to CloudDrivePlugin (#13953)
006a5d9a9b3eb4ed41f63beb6341bc44e724d9db .Net: fix: fall back to ToString() when logging function results with unregistered types (#13884) [ #13681 ]

See More * 6e1ab9dee5e73131099a85314464287088bbd651 .Net: Fix VertexAI global endpoint URI construction (#13620) (#13621) * a1a701d051d425897518c3f70dc3d835cd949c7b .Net: Fix whitespace formatting in PromptExecutionSettingsExtensions.cs (#13941) * 1369c2e0ce6b9e5e86877b62c14b7311440aed2c .Net: Add ExtraBody to OpenAIPromptExecutionSettings (#12307) (#13934) [ #11852 ] * a68600a73a8153c436bffe5a96c4508cf0c09238 .Net: Update Step04_AzureAIAgent_CodeInterpreter.cs (#13886)

Security Fixes

NU1903 high‑severity vulnerability fixed by updating Kiota packages (#13966)
GHSA-pggp-6c3x-2xmx (high severity) fixed by bumping Snappier to 1.3.1 (#13960)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track semantic-kernel

Get notified when new releases ship.

About semantic-kernel

Integrate cutting-edge LLM technology quickly and easily into your apps

All releases →

Related context

Related tools

Earlier breaking changes

vpython-1.43.0 Updates OpenAPI document parsing options in Python.