CVE-2026-46383 Overview
CVE-2026-46383 is a path traversal vulnerability [CWE-22] in Microsoft APM, an open-source dependency manager for AI agents. The flaw affects versions prior to 0.13.0 running on Python 3.10 and 3.11. When apm install <bundle> processes a local .tar.gz archive, the legacy-bundle probe calls raw tar.extractall() without validating Windows absolute member names such as D:/.... Attackers can craft a malicious bundle that writes files outside the intended extraction directory on Windows hosts. Microsoft fixed the issue in release 0.13.0.
Critical Impact
A crafted .tar.gz bundle can write arbitrary files to attacker-chosen locations on Windows systems running Python 3.10 or 3.11, enabling high-integrity tampering with local files.
Affected Products
- Microsoft APM versions prior to 0.13.0
- Python 3.10 runtime on Windows
- Python 3.11 runtime on Windows
Discovery Timeline
- 2026-05-15 - CVE-2026-46383 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-46383
Vulnerability Analysis
Microsoft APM accepts user-supplied .tar.gz archives through the apm install <bundle> command. When an archive is not recognized as a current plugin-format bundle, APM falls back to a legacy probe to determine whether the archive matches the --format apm layout. This probe extracts tar members to inspect their structure.
On Python releases earlier than 3.12, tarfile.extractall() does not enforce a default extraction filter. Member names are written to disk as-is. APM relies on this unsafe default and adds no name validation of its own.
The missing validation specifically exposes Windows hosts. A tar member named D:/Windows/System32/... is treated by Python on Windows as an absolute path on the D: drive, bypassing the intended extraction root. Python 3.12 introduced an extraction filter that blocks such names, which is why only 3.10 and 3.11 runtimes are affected.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22] inside the legacy-bundle probe. APM invokes tar.extractall() on untrusted input without supplying a filter or rejecting absolute Windows member names containing drive letters or backslash separators.
Attack Vector
Exploitation requires local access and user interaction. An attacker must convince a developer to run apm install against a malicious .tar.gz archive. The archive is crafted with tar members whose names contain Windows absolute paths such as D:/path/to/target. When the legacy-bundle probe extracts these members, files are written outside the expected sandbox directory, allowing the attacker to overwrite scripts, configuration files, or executables the user can modify.
The vulnerability does not yield code execution directly. It produces arbitrary file write, which an attacker can chain into code execution by overwriting files referenced during later developer workflows.
Detection Methods for CVE-2026-46383
Indicators of Compromise
- Unexpected files appearing outside the working directory after running apm install against a local archive
- .tar.gz archives whose members contain absolute Windows paths (drive letters followed by :/ or :\)
- Modifications to user-writable system or profile paths shortly after APM invocation
- APM process tree on Windows extracting archives sourced from untrusted locations such as email attachments or downloaded artifacts
Detection Strategies
- Inspect .tar.gz archives before installation by listing entries with tar -tzf <bundle> and rejecting any member name containing : or starting with / or \
- Monitor file creation events from Python interpreters invoked by apm on Windows endpoints, alerting on writes outside the user's project directory
- Audit developer endpoints for installed Microsoft APM versions below 0.13.0 running on Python 3.10 or 3.11
Monitoring Recommendations
- Log all apm install invocations and the source path of the archive supplied
- Forward Windows Sysmon FileCreate events from python.exe child processes to a central log store for retrospective hunting
- Track Python runtime versions across developer workstations to identify hosts still on 3.10 or 3.11
How to Mitigate CVE-2026-46383
Immediate Actions Required
- Upgrade Microsoft APM to version 0.13.0 or later on all developer and build systems
- Avoid running apm install against .tar.gz archives received from untrusted sources until the upgrade is complete
- Where feasible, upgrade the underlying Python interpreter to 3.12 or later to gain the default tar extraction filter
Patch Information
Microsoft released the fix in Microsoft APM 0.13.0. Patched releases reject Windows absolute member names during the legacy-bundle probe. Review the GitHub Security Advisory GHSA-mq5j-pw29-jcv3 for the official fix details.
Workarounds
- Restrict apm install to archives produced internally and signed or hashed against a known-good manifest
- Pre-validate archives with a script that rejects members whose names contain :, leading /, leading \, or .. segments
- Run apm install inside a disposable sandbox or container so that any out-of-bounds writes are contained
# Configuration example: validate a tar archive before passing it to apm install
python - <<'PY'
import sys, tarfile
bundle = sys.argv[1]
with tarfile.open(bundle) as tf:
for m in tf.getmembers():
name = m.name.replace('\\', '/')
if name.startswith('/') or ':' in name.split('/')[0] or '..' in name.split('/'):
print(f'unsafe member: {m.name}')
sys.exit(1)
print('archive passed validation')
PY
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
