PatchSiren cyber security CVE debrief
CVE-2026-46383 microsoft CVE debrief
Microsoft APM versions prior to 0.13.0 contain a Windows-specific path traversal vulnerability in the legacy-bundle probe used during `apm install <bundle>` operations on Python 3.10 and 3.11. When processing local `.tar.gz` archives that are not recognized as plugin-format bundles, APM attempts to determine if they are legacy `--format apm` bundles. This probe uses `tar.extractall()` without proper validation, allowing extraction of tar members with Windows absolute paths (e.g., `D:/...`) to arbitrary locations on the filesystem. The vulnerability does not affect Python 3.12 or later, which includes improved tar extraction safeguards. This issue was disclosed on 2026-05-15 and last modified on 2026-05-18.
- Vendor
- microsoft
- Product
- apm
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations using Microsoft APM on Windows with Python 3.10 or 3.11 for AI agent dependency management; security teams monitoring supply chain risks in open-source AI tooling; developers packaging or distributing APM bundles
Technical summary
The vulnerability exists in the legacy-bundle format detection logic within Microsoft APM's installation routine. When `apm install` receives a local `.tar.gz` file that does not match the plugin-format bundle signature, APM falls back to probing for legacy `--format apm` bundles. On Python versions prior to 3.12, this probe calls `tar.extractall()` without implementing member path validation. Python's tarfile module before 3.12 does not automatically reject Windows absolute path specifications (e.g., `D:/Windows/System32/malicious.dll`), allowing attackers to craft malicious archives that write files to arbitrary locations on the target system. The attack requires local access to provide the malicious archive and user interaction to execute the install command, but requires no privileges and has low attack complexity. Integrity impact is rated HIGH as arbitrary file writes can lead to code execution or system compromise.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade Microsoft APM to version 0.13.0 or later to eliminate the vulnerable legacy-bundle probe behavior
- If immediate patching is not possible, avoid installing untrusted local .tar.gz bundles using apm install on Windows systems running Python 3.10 or 3.11
- Consider upgrading to Python 3.12 or later, which includes built-in protections against absolute path extraction in tarfile
- Implement application controls to restrict apm install operations to trusted bundle sources only
- Monitor for anomalous file system writes to unexpected locations during APM installation operations
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-mq5j-pw29-jcv3. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N indicates local attack vector with high integrity impact. CWE-22 (Path Traversal) and CWE-73 (External Control of File Name or Path) identified as root causes. Fix version 0.13.0 explicitly addresses the extraction boundary failure.
Official resources
-
CVE-2026-46383 CVE record
CVE.org
-
CVE-2026-46383 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-15T17:16:49.090Z