May 2026: Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host file
CVE-2026-44641 Published on May 15, 2026
Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12.
Vulnerability Analysis
CVE-2026-44641 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-44641. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Types
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-44641 has been classified to as a Directory traversal vulnerability or weakness.
External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.