Skip to main content

Microsoft APM CVE-2026-46383

| EUVDEUVD-2026-30559 MEDIUM
Path Traversal (CWE-22)
2026-05-15 GitHub_M GHSA-mq5j-pw29-jcv3
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 15, 2026 - 18:02 EUVD
Analysis Generated
May 15, 2026 - 17:16 vuln.today

DescriptionGitHub Advisory

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a legacy --format apm bundle. On Python versions earlier than 3.12, that probe extracts untrusted tar members with raw tar.extractall() without rejecting Windows absolute member names such as D:/.... This vulnerability is fixed in 0.13.0.

AnalysisAI

Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.

Technical ContextAI

Microsoft APM is a community-driven dependency manager for AI agents. The vulnerability stems from CWE-22 (Path Traversal) in the legacy-bundle installation probe mechanism. When processing .tar.gz archives not recognized as standard plugin-format bundles, APM attempts to extract them as legacy '--format apm' bundles. On Python versions 3.10 and 3.11 (but not 3.12+, which includes enhanced path validation), the code uses raw tar.extractall() without sanitizing Windows absolute paths. The Windows filesystem allows absolute drive-prefixed paths like 'D:/arbitrary/location' in tar member names, which bypass Unix-style '../' traversal checks. This Windows-specific weakness in archive handling predates Python 3.12's security improvements to the tarfile module. The affected CPE (cpe:2.3:a:microsoft:apm:*:*:*:*:*:*:*:*) indicates all versions prior to 0.13.0 on Windows with Python 3.10/3.11 are vulnerable.

RemediationAI

Upgrade Microsoft APM to version 0.13.0 or later, which implements proper path validation for tar member extraction in the legacy-bundle probe. Vendor advisory available at https://github.com/microsoft/apm/security/advisories/GHSA-mq5j-pw29-jcv3. For environments unable to immediately upgrade, implement compensating controls: (1) Upgrade Python runtime to 3.12 or later, which provides tarfile module hardening that blocks absolute path traversal independent of APM version - this is the strongest mitigation but may require application compatibility testing; (2) Restrict 'apm install' operations to trusted bundle sources only through organizational policy and code review processes - reduces attack surface but relies on human vigilance; (3) Run APM operations in sandboxed/containerized environments with minimal filesystem permissions to limit blast radius of arbitrary file writes - adds operational complexity and may break legitimate workflows requiring system-wide package installation. Note that workarounds do not eliminate the vulnerability, only reduce exploitation likelihood or impact.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-46383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy