File Path Traversal Vulnerability in Microsoft APM Dependency Manager
CVE-2026-44641

7.1HIGH

Key Information:

Vendor: Microsoft
Status: Apm
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44641?

The Microsoft APM dependency manager, utilized for AI agents, has a vulnerability related to file path traversal. When using versions prior to 0.8.12, the system allows the use of user-controlled fields in plugin manifests, enabling malicious plugins to exploit nodal paths. This exploitation can lead to the copying of arbitrary files from the host system, as the implementation lacks sufficient restrictions on file path normalization. The vulnerability has been addressed in version 0.8.12, which reinforces directory access security.

Affected Version(s)

apm < 0.8.12

References

https://github.com/microsoft/apm/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44641 Data

JSON