CVE-2026-45539 - Vulnerability Details

- Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree

Description

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.

Published: 2026-05-15

Score: 7.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Microsoft APM allows symbolic links placed under the .apm/prompts/ or .apm/agents/ directories of a dependency to be resolved during apm install, causing host‑local files to be copied into the project tree. This provides an attacker the ability to read arbitrary files from the host machine, exposing sensitive data or source code. The flaw is a combination of information disclosure (CWE‑200) and path traversal (CWE‑59).

Affected Systems

Microsoft APM (apm-cli) versions 0.5.4 through 0.12.4 are affected; the issue is fixed in version 0.13.0.

Risk and Exploitability

The CVSS score of 7.4 denotes a High severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this by supplying a malicious dependency containing symlinks that point to sensitive host files and then executing apm install, which may happen in local developer workstations or CI pipelines. The impact is primarily confidentiality breach rather than code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

microsoft

apm

affected

Version	Status	Constraints
`>= 0.5.4, < 0.13.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Microsoft APM to version 0.13.0 or later to apply the official fix.
If an upgrade cannot be performed immediately, validate that dependencies are obtained from trusted sources and inspect package contents before installation to avoid malicious symlinks.
If a compromised package has already been installed, remove any unexpected files created under the project’s deploy directories and delete symlinks from the local .apm/prompts/ and .apm/agents/ directories before re‑installing dependencies.

Generated by OpenCVE AI on May 15, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00076.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4

History

Fri, 15 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 15 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.
Title		Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree
Weaknesses		CWE-200 CWE-59
References		https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T16:02:37.591Z

Updated: 2026-05-15T16:41:24.808Z

Reserved: 2026-05-12T17:48:47.878Z

Link: CVE-2026-45539

Vulnrichment

Updated: 2026-05-15T16:41:10.649Z

NVD

Status : Received

Published: 2026-05-15T17:16:48.887

Modified: 2026-05-15T17:16:48.887

Link: CVE-2026-45539

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T17:30:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object