CVE-2026-44641— Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install
Possible ATT&CK Techniques 1AI
T1083 · File and Directory DiscoveryGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44641
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install
Source: NVD (National Vulnerability Database)
Vulnerability Description
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
APM – Agent Package Manager 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
APM – Agent Package Manager是Microsoft开源的一款AI代理依赖管理工具。 APM – Agent Package Manager 0.8.12之前版本存在路径遍历漏洞,该漏洞源于未验证插件路径是否在插件目录内,可能导致恶意插件在安装过程中复制主机上的任意可读文件或目录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44641
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44641
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-44641 (1)
Same Patch Batch · microsoft · 2026-05-15 · 3 CVEs total
| CVE-2026-45539 | 7.4 HIGH | Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during ` |
| CVE-2026-46383 | 5.5 MEDIUM | Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in |
IV. Related Vulnerabilities
Same vendor: microsoft
- CVE-2026-46538
Microsoft UFO accepts cross-device TASK_END messages by sess - CVE-2026-46416
Microsoft UFO shared WebSocket handler state causes cross-cl - CVE-2026-46414
Microsoft UFO WebSocket role spoofing allows authenticated p - CVE-2026-46402
Microsoft UFO uses untrusted task_name in log paths, allowin - CVE-2026-46544
Microsoft UFO reuses client-supplied WebSocket session IDs a
Same weakness: CWE-22
- CVE-2026-46402
Microsoft UFO uses untrusted task_name in log paths, allowin - CVE-2026-44635
Kysely: JSON-path traversal injection via unsanitized path-l - CVE-2026-44353
Streamlink: Arbitrary local file read via file:// URI in HLS - CVE-2026-45571
go-git: Crafted repositories may modify main and submodule . - CVE-2026-48544
Taipy 4.1.1 Path Traversal via ElementLibrary.get_resource()
V. Comments for CVE-2026-44641
No comments yet