CVE-2026-44641 microsoft CVE debrief

Who should care

Organizations using Microsoft APM for AI agent dependency management, particularly those installing plugins from public or untrusted marketplace sources. Security teams monitoring supply chain risks in AI/ML tooling infrastructure. Developers integrating APM into automated deployment pipelines.

Technical summary

The vulnerability exists in Microsoft APM's plugin normalization routine. When processing a plugin.json manifest, the tool copies files referenced in four fields (agents, skills, commands, hooks) into a local .apm/ directory. The implementation fails to validate that these paths remain within the plugin's intended directory structure. A malicious actor can craft a plugin with manifest entries like /etc/passwd or ../../../sensitive/path, causing APM to copy arbitrary readable files from the host filesystem during installation. This represents a supply chain attack vector where compromised or malicious marketplace plugins can exfiltrate host data. The fix in 0.8.12 presumably adds path validation to ensure all referenced paths resolve within the plugin directory boundary.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Microsoft APM to version 0.8.12 or later
• Review installed plugins for suspicious manifest entries with absolute or traversal paths
• Audit .apm/ directory contents for unexpected files copied from outside plugin directories
• Implement plugin manifest validation in CI/CD pipelines before deployment
• Restrict apm install execution to isolated environments with minimal filesystem exposure
• Monitor for plugins referencing system paths in agents, skills, commands, or hooks fields

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-xhrw-5qxx-jpwr. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N indicates local attack vector with high confidentiality and integrity impact. Fix version 0.8.12 explicitly mentioned in advisory.

Official resources