CVE-2026-45539 Overview
CVE-2026-45539 affects Microsoft APM, an open-source dependency manager for AI agents. The flaw exists in apm-cli versions 0.5.4 through 0.12.4. Two primitive integrators enumerate package files using bare Path.glob() and Path.rglob() calls, then read each match with Path.read_text(). These calls transparently follow symbolic links. A symlink committed inside a remote APM dependency is preserved during clone and dereferenced during integration. The resolved content is written as a regular file into the project's deploy directories. Microsoft fixed the issue in version 0.13.0.
Critical Impact
A malicious APM dependency can exfiltrate arbitrary host files into a developer's repository, where the deploy roots are not covered by the auto-generated .gitignore and are staged by git add by default.
Affected Products
- Microsoft APM apm-cli versions 0.5.4 through 0.12.4
- Projects consuming remote APM dependencies via .apm/prompts/ or .apm/agents/
- Downstream repositories that stage apm_modules/ deploy output with git add
Discovery Timeline
- 2026-05-15 - CVE-2026-45539 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-45539
Vulnerability Analysis
The vulnerability is a symlink-following flaw classified under [CWE-59] (Improper Link Resolution Before File Access). The apm-cli integrator code walks dependency directories with Path.glob() and Path.rglob(), neither of which excludes symbolic links by default. When the integrator calls Path.read_text() on a matched path, Python's standard library transparently dereferences the symlink and returns the target file's contents. The integrator then writes that content to a regular file under the consuming project's deploy directory.
Because the malicious payload is a symlink rather than file content, the package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag the dependency. The deploy roots are also absent from the auto-generated .gitignore, so resulting files are staged by git add . and silently committed by developers who trust their dependency tree.
Root Cause
The root cause is a missing symlink check in two integrator routines. Neither integrator validates that the resolved path stays inside the package directory, and neither rejects entries where Path.is_symlink() returns true. Combining permissive file enumeration with content-hash validation that only covers the symlink stub creates a trust gap between scanning and deployment.
Attack Vector
An attacker publishes a malicious APM dependency containing a symlink at .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md pointing to a sensitive file such as ~/.ssh/id_rsa, ~/.aws/credentials, or /etc/passwd. When a victim adds the dependency, apm clone preserves the symlink verbatim into apm_modules/. The next integration run dereferences the symlink and writes the host file's contents into the deploy directory as a normal tracked file. A subsequent git add and git push exfiltrates the data to the developer's remote repository.
The exploitation chain requires user interaction in the form of installing the malicious dependency. See the GitHub Security Advisory GHSA-q5pp-gvjg-h7v4 for vendor-confirmed technical details.
Detection Methods for CVE-2026-45539
Indicators of Compromise
- Symbolic links present anywhere under apm_modules/<package>/.apm/prompts/ or .apm/agents/
- Files in project deploy roots whose contents match sensitive host paths such as private keys, cloud credentials, or shell history
- Git commits adding unexpected files under APM deploy directories shortly after apm install or apm update
Detection Strategies
- Scan apm_modules/ recursively for symlinks using find apm_modules -type l and treat any result as suspicious
- Compare integrator output files against known-good prompt and agent templates to spot foreign content
- Audit git diff --cached output before commits when APM dependencies have changed
Monitoring Recommendations
- Alert on developer workstations that produce git commits containing private key headers, AWS access key prefixes, or /etc/ file fragments
- Track apm-cli versions across the development fleet and flag any installation below 0.13.0
- Log all apm install, apm clone, and integration commands to a central data lake for retrospective hunting
How to Mitigate CVE-2026-45539
Immediate Actions Required
- Upgrade apm-cli to version 0.13.0 or later on every developer workstation and CI runner
- Inventory existing apm_modules/ directories and remove any symbolic links found
- Rotate credentials that may have been resident on machines that ran vulnerable apm-cli versions against untrusted dependencies
- Review recent git history in projects using APM for unexpected files staged under deploy roots
Patch Information
Microsoft published the fix in apm-cli0.13.0. The patched integrators reject symlinks during enumeration and validate that resolved paths remain inside the package root. Refer to the GitHub Security Advisory GHSA-q5pp-gvjg-h7v4 for the full advisory and patch reference.
Workarounds
- Pin APM dependencies to vetted internal mirrors until upgrade to 0.13.0 is complete
- Add APM deploy roots to .gitignore so that integrator output is never staged automatically
- Run apm install inside a sandboxed container with no access to credential stores or SSH keys
- Manually inspect apm_modules/ for symlinks before invoking the integration step
# Configuration example
# Detect symlinks introduced by malicious APM dependencies
find apm_modules -type l -printf '%p -> %l\n'
# Enforce minimum apm-cli version
pip install --upgrade 'apm-cli>=0.13.0'
# Exclude APM deploy roots from accidental commits
printf '\n# APM deploy output\napm_modules/\n.apm/deploy/\n' >> .gitignore
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
