CVE-2026-44641 Overview
CVE-2026-44641 is a path traversal vulnerability [CWE-22] in Microsoft APM, an open-source dependency manager for AI agents. Versions prior to 0.8.12 fail to validate attacker-controlled paths in plugin manifest fields during installation. The apm install command normalizes marketplace plugins by copying components referenced in plugin.json into the local .apm/ directory. The implementation does not restrict these paths to the plugin directory, allowing absolute paths or ../ traversal sequences. A malicious plugin can copy arbitrary readable files or directories from the installer's host machine. Microsoft released a fix in version 0.8.12.
Critical Impact
Installing a malicious APM plugin allows an attacker to exfiltrate arbitrary readable files from the user's machine, including SSH keys, cloud credentials, and source code.
Affected Products
- Microsoft APM versions prior to 0.8.12
- AI agent projects using APM as a dependency manager
- Developer workstations and CI environments running apm install
Discovery Timeline
- 2026-05-15 - CVE-2026-44641 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-44641
Vulnerability Analysis
Microsoft APM is a community-driven dependency manager designed to package and distribute components used by AI agents. When a user runs apm install, the tool retrieves a plugin from the marketplace and normalizes its layout by copying files declared in the plugin.json manifest into the local .apm/ directory.
The manifest exposes several fields that reference files on disk: agents, skills, commands, and hooks. These fields are controlled entirely by the plugin author. The installer reads each declared path and performs a copy operation without confirming that the source path resolves inside the plugin's own directory.
Because path containment is not enforced, the copy operation honors absolute paths such as /home/user/.ssh/id_rsa and parent-directory traversal sequences such as ../../../../etc/passwd. The copied files land inside the .apm/ directory of the project where the user invoked apm install, where the malicious plugin can subsequently read them through its declared agent or hook logic.
Root Cause
The root cause is missing path canonicalization and containment validation on manifest-supplied file paths. The installer trusts the agents, skills, commands, and hooks entries as relative paths within the plugin archive, but does not call a resolver that rejects absolute paths or traversal sequences escaping the plugin root.
Attack Vector
Exploitation requires local execution context with user interaction: a developer must install a malicious plugin from the APM marketplace or another source. The attacker publishes a plugin whose plugin.json declares manifest paths pointing at sensitive host files. When the victim runs apm install, the installer copies those files into .apm/, where the plugin's agent or hook code can read and exfiltrate them on first execution. No elevated privileges are required beyond those of the installing user.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-xhrw-5qxx-jpwr.
Detection Methods for CVE-2026-44641
Indicators of Compromise
- Files inside .apm/ directories whose names match sensitive host paths such as id_rsa, .aws/credentials, or .npmrc.
- plugin.json manifests containing absolute paths or ../ sequences in the agents, skills, commands, or hooks fields.
- Unexpected outbound network connections initiated by APM plugin processes shortly after apm install completes.
Detection Strategies
- Audit installed plugins by parsing each plugin.json and flagging any manifest path that is absolute or contains .. segments.
- Inventory .apm/ directories across developer endpoints and compare copied filenames against an allowlist of expected plugin assets.
- Hash sensitive credential files and alert when matching content appears under any project's .apm/ tree.
Monitoring Recommendations
- Monitor process telemetry for apm install invocations followed by reads of ~/.ssh, ~/.aws, ~/.config, or browser profile directories.
- Log file-system access patterns from APM plugin processes on developer workstations and CI runners.
- Track network egress from hosts running APM, focusing on uploads from .apm/ working directories.
How to Mitigate CVE-2026-44641
Immediate Actions Required
- Upgrade Microsoft APM to version 0.8.12 or later on all developer workstations, build servers, and CI runners.
- Audit existing .apm/ directories for files copied from outside their plugin source tree and remove any unexpected content.
- Rotate credentials, SSH keys, and API tokens that may have been readable by users who installed untrusted plugins on vulnerable APM versions.
Patch Information
Microsoft fixed CVE-2026-44641 in Microsoft APM version 0.8.12. The patch enforces that paths referenced by the agents, skills, commands, and hooks manifest fields resolve inside the plugin directory. Refer to the GitHub Security Advisory GHSA-xhrw-5qxx-jpwr for the upstream advisory and commit references.
Workarounds
- Restrict apm install to vetted plugins from trusted publishers until the upgrade is deployed.
- Run apm install inside an ephemeral container or sandbox that has no access to credentials, SSH keys, or source repositories.
- Review and statically validate every plugin.json before installation, rejecting manifests with absolute paths or .. traversal sequences.
# Configuration example: upgrade APM and validate manifests before install
npm install -g @microsoft/apm@0.8.12
# Quick pre-install audit of a plugin manifest
jq '.agents, .skills, .commands, .hooks' plugin.json \
| grep -E '^\s*"(/|\.\./)' && echo "UNSAFE PATHS DETECTED" || echo "OK"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
