PatchSiren cyber security CVE debrief
CVE-2026-45539 microsoft CVE debrief
Microsoft APM (AI Package Manager) versions 0.5.4 through 0.12.4 contain a symlink-following vulnerability in two primitive integrators within apm-cli. The integrators use bare Path.glob() and Path.rglob() calls to enumerate package files, then read each match with Path.read_text(), which transparently follows symbolic links. A malicious symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ upon clone and dereferenced during integration. The resolved content is written as a regular file into the project's deploy directories. The package content_hash verification, pre-deploy SecurityGate scan, and apm audit do not detect this behavior. Additionally, deploy roots are not automatically added to .gitignore, causing resulting files to be staged by default during git add operations. This vulnerability was published on 2026-05-15 and last modified on 2026-05-18. It is fixed in version 0.13.0.
- Vendor
- microsoft
- Product
- apm
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations using Microsoft APM for AI agent dependency management, particularly those consuming packages from external or untrusted sources. Development teams with automated CI/CD pipelines that may inadvertently stage or deploy files written through symlink resolution. Security teams responsible for supply chain integrity and pre-deployment verification of AI agent packages.
Technical summary
The vulnerability exists in apm-cli's primitive integrators which use Python's pathlib.Path.glob(), Path.rglob(), and Path.read_text() methods without symlink safety checks. When processing APM dependencies, symlinks in .apm/prompts/ or .apm/agents/ paths are preserved into apm_modules/ and dereferenced during integration, writing arbitrary file content to deploy directories. The content_hash mechanism, SecurityGate scan, and apm audit fail to detect this behavior. Deploy directories lack automatic .gitignore entries, causing git staging of potentially sensitive files.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Microsoft APM to version 0.13.0 or later to remediate this vulnerability
- Review apm_modules/ directories for unexpected symlinks in dependencies from untrusted sources
- Manually add deploy directories to .gitignore to prevent accidental staging of dereferenced symlink content
- Audit existing deployments for files that may have been written from symlink resolution in affected versions
- Implement additional pre-deployment scanning that specifically checks for symlink traversal in package files
- Consider pinning dependencies to trusted sources and verifying package integrity beyond content_hash checks
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Affected version range 0.5.4 to 0.12.4 and fix version 0.13.0 confirmed via GitHub Security Advisory. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates network attack vector, low attack complexity, no privileges required, user interaction required, changed scope, and high confidentiality impact. CWE-59 (Improper Link Resolution Before File Access) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identified as primary weakness classifications.
Official resources
-
CVE-2026-45539 CVE record
CVE.org
-
CVE-2026-45539 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-15T17:16:48.887Z