CVE-2026-44641 HIGH

CVE-2026-44641: Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install

Vendor Microsoft
Product apm
Weakness CWE-22 · Path traversal
Published May 15, 2026
Last update May 15, 2026

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12.

Key dates

02Disclosure timeline

May 15, 2026 CVE published
May 15, 2026 Record updated