CVE-2026-44641 - Vulnerability Details

- Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install

Description

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12.

Published: 2026-05-15

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Microsoft APM allowed plugin developers to specify component file paths in plugin.json that were not constrained to the plugin directory. Attackers could therefore supply absolute paths or path‑traversal sequences like "../" to copy arbitrary readable files or directories from the host machine into the plugin installation location. The result is that sensitive data on the installer’s system can be read and placed in the plug‑in’s workspace without authorization. This flaw is classified as CWE‑22 (Path Traversal) and CWE‑73 (Path Manipulation).

Affected Systems

Microsoft APM versions older than 0.8.12 are affected. The vulnerability manifests when installing marketplace plugins, as the implementation copies referenced components into .apm/ without validating the paths. Any instance of APM prior to 0.8.12 that accepts external plugin manifests can be impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation. The attack vector is inferred to be the installation of a malicious plugin from the marketplace; an attacker must be able to supply or modify the plugin.json file during installation. Fixing the vulnerability by upgrading to 0.8.12 removes the path validation flaw, preventing arbitrary file reads during plugin install.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

microsoft

apm

affected

Version	Status	Constraints
`< 0.8.12`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Microsoft APM version 0.8.12 or later, which implements proper path validation for plugin components.
If an upgrade is not immediately possible, limit plugin installation to trusted, manually reviewed sources and cross‑check the plugin.json paths for absolute or traversal references.
Monitor install logs for unexpected file system activity and, if available, configure alerts for file copies during plugin deployment.

Generated by OpenCVE AI on May 15, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xhrw-5qxx-jpwr	Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr

History

Fri, 15 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 15 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12.
Title		Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install
Weaknesses		CWE-22 CWE-73
References		https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T16:00:23.198Z

Updated: 2026-05-15T17:49:00.985Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44641

Vulnrichment

Updated: 2026-05-15T17:48:55.309Z

NVD

Status : Received

Published: 2026-05-15T17:16:47.633

Modified: 2026-05-15T19:17:00.220

Link: CVE-2026-44641

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T18:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object