CVE-2026-45539: Microsoft APM: symlink attack leaks host files in agent deps
GHSA-q5pp-gvjg-h7v4 HIGH PoC AVAILABLEMicrosoft APM, an open-source dependency manager for AI agents, contains a symlink-following flaw (CWE-59) in its CLI integrators across versions 0.5.4–0.12.4 that allows a malicious remote package to read arbitrary host files and silently write their contents into project deploy directories. An adversary who publishes a crafted APM package with symlinks targeting sensitive files—SSH keys, .env credentials, cloud tokens—can exfiltrate that data simply by having a developer run the integration step, with no post-install script or privilege escalation required. Critically, all three of APM's own defenses (content_hash verification, SecurityGate pre-deploy scan, and apm audit) fail to detect symlink payloads, and affected files are staged by git automatically since deploy roots are excluded from the auto-generated .gitignore—meaning a single git push can expose secrets to attacker-controlled infrastructure. While the raw EPSS probability is low at 0.076%, placement in the 77th percentile combined with the complete bypass of multiple trusted security controls and the targeted nature of AI agent supply chains elevates practical risk significantly. Upgrade to APM 0.13.0 immediately and audit recently integrated packages for unexpected files in deploy directories.
What is the risk?
CVSS 7.4 High with Changed scope reflects the cross-boundary nature of the impact: an untrusted remote package gains read access to the host filesystem beyond the dependency sandbox. Exploitation requires user interaction (running integration) but keeps complexity low and demands no privileges—matching attacker profiles ranging from opportunistic to targeted. The EPSS of 0.076% indicates low current in-the-wild activity; however, the attack's invisibility to all three of APM's built-in security controls—mechanisms developers explicitly trust for supply chain validation—makes successful exploitation particularly silent when it occurs. Teams managing AI agent deployments with APM face supply chain risk comparable to malicious npm and PyPI packages, with the added danger that the exfiltration mechanism bypasses purpose-built security tooling and auto-stages results for git commit.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Microsoft APM | pip | >= 0.5.4, <= 0.12.4 | 0.13.0 |
Do you use Microsoft APM? You're affected.
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Upgrade to APM 0.13.0 immediately—this is the only complete fix.
-
Audit apm_modules/ and all project deploy directories for unexpected files, particularly .env, *.pem, *.key, id_rsa, or cloud credential files that should not be present.
-
Run git diff --cached before any push to inspect what is staged; look for files that do not belong in the project.
-
Explicitly add deploy output directories to .gitignore as defense-in-depth.
-
Deploy pre-commit hooks (e.g., git-secrets, detect-secrets, trufflehog) to block accidental credential commits in all repositories using APM.
-
Review all APM packages installed with versions 0.5.4–0.12.4 for unexpected symlinks inside .apm/prompts/ and .apm/agents/ subdirectories.
-
Treat any APM package published by an unverified or newly created account as untrusted until 0.13.0 is in place.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45539?
Microsoft APM, an open-source dependency manager for AI agents, contains a symlink-following flaw (CWE-59) in its CLI integrators across versions 0.5.4–0.12.4 that allows a malicious remote package to read arbitrary host files and silently write their contents into project deploy directories. An adversary who publishes a crafted APM package with symlinks targeting sensitive files—SSH keys, .env credentials, cloud tokens—can exfiltrate that data simply by having a developer run the integration step, with no post-install script or privilege escalation required. Critically, all three of APM's own defenses (content_hash verification, SecurityGate pre-deploy scan, and apm audit) fail to detect symlink payloads, and affected files are staged by git automatically since deploy roots are excluded from the auto-generated .gitignore—meaning a single git push can expose secrets to attacker-controlled infrastructure. While the raw EPSS probability is low at 0.076%, placement in the 77th percentile combined with the complete bypass of multiple trusted security controls and the targeted nature of AI agent supply chains elevates practical risk significantly. Upgrade to APM 0.13.0 immediately and audit recently integrated packages for unexpected files in deploy directories.
Is CVE-2026-45539 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-45539, increasing the risk of exploitation.
How to fix CVE-2026-45539?
1. Upgrade to APM 0.13.0 immediately—this is the only complete fix. 2. Audit apm_modules/ and all project deploy directories for unexpected files, particularly .env, *.pem, *.key, id_rsa, or cloud credential files that should not be present. 3. Run git diff --cached before any push to inspect what is staged; look for files that do not belong in the project. 4. Explicitly add deploy output directories to .gitignore as defense-in-depth. 5. Deploy pre-commit hooks (e.g., git-secrets, detect-secrets, trufflehog) to block accidental credential commits in all repositories using APM. 6. Review all APM packages installed with versions 0.5.4–0.12.4 for unexpected symlinks inside .apm/prompts/ and .apm/agents/ subdirectories. 7. Treat any APM package published by an unverified or newly created account as untrusted until 0.13.0 is in place.
What systems are affected by CVE-2026-45539?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, agent deployment pipelines, prompt template management, CI/CD for AI agent projects.
What is the CVSS score for CVE-2026-45539?
CVE-2026-45539 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.65%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0002.002 AI Agent Configuration AML.T0010.001 AI Software AML.T0011.001 Malicious Package AML.T0025 Exfiltration via Cyber Means AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.
Exploitation Scenario
An adversary publishes a legitimate-looking APM package—for example, a popular system-prompt library or agent configuration bundle for an AI workflow—to the public APM registry. Inside the package, under .apm/prompts/system.prompt.md, they commit a symbolic link pointing to /home/user/.ssh/id_rsa or /app/.env. When a CI/CD pipeline or developer runs the APM integration step on a project using any affected version, the integrator follows the symlink via bare Path.rglob(), reads the private key or secrets file via Path.read_text(), and writes the resolved content as a regular file into the deploy directory. SecurityGate and apm audit report a clean bill of health. The developer runs git add . and the exfiltrated credential is staged automatically. A push to GitHub—routine in any CI pipeline—completes the exfiltration. The adversary, monitoring the target repository or having embedded a webhook in the dependency, retrieves the secrets without ever requiring direct access to the victim's machine.
Weaknesses (CWE)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Primary
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Primary
CWE-59 Improper Link Resolution Before File Access ('Link Following')
Primary
CWE-59 Improper Link Resolution Before File Access ('Link Following')
Primary
CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-46858 9.1 Oracle APM: unauthenticated write/DoS via JVM Diagnostics
Same package: apm CVE-2026-57947 8.5 Analysis pending
Same package: apm CVE-2026-57948 6.8 Analysis pending
Same package: apm CVE-2026-49835 5.9 Analysis pending
Same package: apm GHSA-rf84-wr5g-m3rp 5.5 CAPM3: cross-namespace auth bypass exposes K8s secrets
Same package: apm