CVE-2026-45539 — HIGH (CVSS 7.4)

Q: Is CVE-2026-45539 actively exploited?

No confirmed active exploitation of CVE-2026-45539 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45539?

1. Upgrade to APM 0.13.0 immediately—this is the only complete fix. 2. Audit apm_modules/ and all project deploy directories for unexpected files, particularly .env, *.pem, *.key, id_rsa, or cloud credential files that should not be present. 3. Run git diff --cached before any push to inspect what is staged; look for files that do not belong in the project. 4. Explicitly add deploy output directories to .gitignore as defense-in-depth. 5. Deploy pre-commit hooks (e.g., git-secrets, detect-secrets, trufflehog) to block accidental credential commits in all repositories using APM. 6. Review all APM packages installed with versions 0.5.4–0.12.4 for unexpected symlinks inside .apm/prompts/ and .apm/agents/ subdirectories. 7. Treat any APM package published by an unverified or newly created account as untrusted until 0.13.0 is in place.

Q: What systems are affected by CVE-2026-45539?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, agent deployment pipelines, prompt template management, CI/CD for AI agent projects.

Q: What is the CVSS score for CVE-2026-45539?

CVE-2026-45539 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.08%.

CISO Take

Microsoft APM, an open-source dependency manager for AI agents, contains a symlink-following flaw (CWE-59) in its CLI integrators across versions 0.5.4–0.12.4 that allows a malicious remote package to read arbitrary host files and silently write their contents into project deploy directories. An adversary who publishes a crafted APM package with symlinks targeting sensitive files—SSH keys, .env credentials, cloud tokens—can exfiltrate that data simply by having a developer run the integration step, with no post-install script or privilege escalation required. Critically, all three of APM's own defenses (content_hash verification, SecurityGate pre-deploy scan, and apm audit) fail to detect symlink payloads, and affected files are staged by git automatically since deploy roots are excluded from the auto-generated .gitignore—meaning a single git push can expose secrets to attacker-controlled infrastructure. While the raw EPSS probability is low at 0.076%, placement in the 77th percentile combined with the complete bypass of multiple trusted security controls and the targeted nature of AI agent supply chains elevates practical risk significantly. Upgrade to APM 0.13.0 immediately and audit recently integrated packages for unexpected files in deploy directories.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

CVSS 7.4 High with Changed scope reflects the cross-boundary nature of the impact: an untrusted remote package gains read access to the host filesystem beyond the dependency sandbox. Exploitation requires user interaction (running integration) but keeps complexity low and demands no privileges—matching attacker profiles ranging from opportunistic to targeted. The EPSS of 0.076% indicates low current in-the-wild activity; however, the attack's invisibility to all three of APM's built-in security controls—mechanisms developers explicitly trust for supply chain validation—makes successful exploitation particularly silent when it occurs. Teams managing AI agent deployments with APM face supply chain risk comparable to malicious npm and PyPI packages, with the added danger that the exfiltration mechanism bypasses purpose-built security tooling and auto-stages results for git commit.

Attack Kill Chain

Supply Chain Staging

Adversary publishes a malicious APM package to the public registry containing symbolic links inside .apm/prompts/ or .apm/agents/ that point to sensitive host filesystem paths such as ~/.ssh/id_rsa, ~/.aws/credentials, or project .env files.

AML.T0010.001

User-Triggered Integration

Victim developer or CI/CD pipeline runs apm-cli to integrate the dependency; bare Path.rglob() and Path.read_text() calls transparently follow the embedded symlinks and read the resolved host file contents without any warning or security flag.

AML.T0011.001

Silent Security Control Bypass

Resolved sensitive file content is written as regular files into deploy directories; content_hash verification, SecurityGate pre-deploy scan, and apm audit all pass cleanly, leaving no alert trail for the victim to detect the compromise.

AML.T0107

Credential Exfiltration via Git

Exfiltrated files are automatically staged by git since deploy roots are absent from the auto-generated .gitignore; a routine git push propagates the stolen secrets to remote repositories where the adversary retrieves them.

AML.T0025

Supply Chain Staging

Adversary publishes a malicious APM package to the public registry containing symbolic links inside .apm/prompts/ or .apm/agents/ that point to sensitive host filesystem paths such as ~/.ssh/id_rsa, ~/.aws/credentials, or project .env files.

AML.T0010.001

User-Triggered Integration

Victim developer or CI/CD pipeline runs apm-cli to integrate the dependency; bare Path.rglob() and Path.read_text() calls transparently follow the embedded symlinks and read the resolved host file contents without any warning or security flag.

AML.T0011.001

Silent Security Control Bypass

Resolved sensitive file content is written as regular files into deploy directories; content_hash verification, SecurityGate pre-deploy scan, and apm audit all pass cleanly, leaving no alert trail for the victim to detect the compromise.

AML.T0107

Credential Exfiltration via Git

Exfiltrated files are automatically staged by git since deploy roots are absent from the auto-generated .gitignore; a routine git push propagates the stolen secrets to remote repositories where the adversary retrieves them.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
apm	pip	>= 0.5.4, <= 0.12.4	`0.13.0`

Do you use apm? You're affected.

Severity & Risk

CVSS 3.1

7.4 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C High

I None

A None

What should I do?

7 steps

Upgrade to APM 0.13.0 immediately—this is the only complete fix.
Audit apm_modules/ and all project deploy directories for unexpected files, particularly .env, *.pem, *.key, id_rsa, or cloud credential files that should not be present.
Run git diff --cached before any push to inspect what is staged; look for files that do not belong in the project.
Explicitly add deploy output directories to .gitignore as defense-in-depth.
Deploy pre-commit hooks (e.g., git-secrets, detect-secrets, trufflehog) to block accidental credential commits in all repositories using APM.
Review all APM packages installed with versions 0.5.4–0.12.4 for unexpected symlinks inside .apm/prompts/ and .apm/agents/ subdirectories.
Treat any APM package published by an unverified or newly created account as untrusted until 0.13.0 is in place.

Classification

Supply Chain Data Extraction Agent Framework AML.T0002.002 - AI Agent Configuration AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0025 - Exfiltration via Cyber Means AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality Management System Article 9 - Risk Management System

ISO 42001

A.11 - Third Parties and Suppliers

NIST AI RMF

GOVERN 1.1 - Policies and Processes for AI Risk Management MANAGE 2.2 - Mechanisms to Minimize Negative Impacts of AI Systems

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-45539?

Microsoft APM, an open-source dependency manager for AI agents, contains a symlink-following flaw (CWE-59) in its CLI integrators across versions 0.5.4–0.12.4 that allows a malicious remote package to read arbitrary host files and silently write their contents into project deploy directories. An adversary who publishes a crafted APM package with symlinks targeting sensitive files—SSH keys, .env credentials, cloud tokens—can exfiltrate that data simply by having a developer run the integration step, with no post-install script or privilege escalation required. Critically, all three of APM's own defenses (content_hash verification, SecurityGate pre-deploy scan, and apm audit) fail to detect symlink payloads, and affected files are staged by git automatically since deploy roots are excluded from the auto-generated .gitignore—meaning a single git push can expose secrets to attacker-controlled infrastructure. While the raw EPSS probability is low at 0.076%, placement in the 77th percentile combined with the complete bypass of multiple trusted security controls and the targeted nature of AI agent supply chains elevates practical risk significantly. Upgrade to APM 0.13.0 immediately and audit recently integrated packages for unexpected files in deploy directories.

Is CVE-2026-45539 actively exploited?

No confirmed active exploitation of CVE-2026-45539 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45539?

1. Upgrade to APM 0.13.0 immediately—this is the only complete fix. 2. Audit apm_modules/ and all project deploy directories for unexpected files, particularly .env, *.pem, *.key, id_rsa, or cloud credential files that should not be present. 3. Run git diff --cached before any push to inspect what is staged; look for files that do not belong in the project. 4. Explicitly add deploy output directories to .gitignore as defense-in-depth. 5. Deploy pre-commit hooks (e.g., git-secrets, detect-secrets, trufflehog) to block accidental credential commits in all repositories using APM. 6. Review all APM packages installed with versions 0.5.4–0.12.4 for unexpected symlinks inside .apm/prompts/ and .apm/agents/ subdirectories. 7. Treat any APM package published by an unverified or newly created account as untrusted until 0.13.0 is in place.

What systems are affected by CVE-2026-45539?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, agent deployment pipelines, prompt template management, CI/CD for AI agent projects.

What is the CVSS score for CVE-2026-45539?

CVE-2026-45539 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.

Exploitation Scenario

An adversary publishes a legitimate-looking APM package—for example, a popular system-prompt library or agent configuration bundle for an AI workflow—to the public APM registry. Inside the package, under .apm/prompts/system.prompt.md, they commit a symbolic link pointing to /home/user/.ssh/id_rsa or /app/.env. When a CI/CD pipeline or developer runs the APM integration step on a project using any affected version, the integrator follows the symlink via bare Path.rglob(), reads the private key or secrets file via Path.read_text(), and writes the resolved content as a regular file into the deploy directory. SecurityGate and apm audit report a clean bill of health. The developer runs git add . and the exfiltrated credential is staged automatically. A push to GitHub—routine in any CI pipeline—completes the exfiltration. The adversary, monitoring the target repository or having embedded a webhook in the dependency, retrieves the secrets without ever requiring direct access to the victim's machine.