Microsoft APM Vulnerability CVE-2026-45539 Exposes AI Agent Files

/HIGH /CVSS 7.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-59cwe-200
Microsoft APM Vulnerability CVE-2026-45539 Exposes AI Agent Files

A critical vulnerability, CVE-2026-45539, has been identified in Microsoft APM, an open-source dependency manager for AI agents. The National Vulnerability Database reports that versions 0.5.4 through 0.12.4 are susceptible to a symbolic link traversal issue. Specifically, primitive integrators in apm-cli transparently follow symbolic links when enumerating and reading package files.

This flaw allows a symlink committed within a remote APM dependency (under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md) to be preserved during cloning into apm_modules/. When integrated, this symlink is dereferenced, writing its resolved content as a regular file into the project’s deploy directories. Crucially, existing security checks like content_hash, SecurityGate scans, and apm audit fail to detect this, and the deploy roots are not added to .gitignore, making the resulting files staged by default in Git. This creates a clear path for attackers to inject malicious files or overwrite legitimate ones.

The National Vulnerability Database has assigned CVE-2026-45539 a CVSSv3.1 score of 7.4 (HIGH), citing a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N. The vulnerability is tracked under CWE-59 (Improper Control of a Resource Through a Search Path) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The fix is available in Microsoft APM version 0.13.0.

What This Means For You

  • If your organization uses Microsoft APM for managing AI agent dependencies, you need to immediately audit your deployments. This isn't just a theoretical vulnerability; it's a direct path for an attacker to inject arbitrary files into your build and deploy processes by simply committing a malicious symlink in a dependency. Patch to version 0.13.0 without delay. Furthermore, review your CI/CD pipelines to ensure they explicitly disallow symbolic link traversal in dependency handling, especially for AI agent deployments where code integrity is paramount.

Related ATT&CK Techniques

T1571 Non-Standard Port Command and Control T1071.004 DNS Command and Control T1041 Exfiltration Over C2 Channel Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1071.004 Defense Evasion

CVE-2026-45539 - APM Agent File Disclosure via Symlink

Sigma YAML — free preview 
title: CVE-2026-45539 - APM Agent File Disclosure via Symlink
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects the creation of files within the .apm/prompts/ or .apm/agents/ directories that are intended to be part of an AI agent's dependency, which is a precursor to the symlink vulnerability in Microsoft APM (CVE-2026-45539). This rule specifically looks for the presence of these directories and the expected file extensions, indicating a potential exploitation attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45539/
tags:
  - attack.defense_evasion
  - attack.t1071.004
logsource:
    category: file_event
detection:
  selection:
      TargetFilename|contains:
          - '.apm/prompts/'
          - '.apm/agents/'
  selection_indicators:
      TargetFilename|contains:
          - '.prompt.md'
          - '.agent.md'
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45539 Path Traversal Microsoft APM apm-cli versions 0.5.4 to 0.12.4
CVE-2026-45539 Information Disclosure Microsoft APM apm-cli vulnerable to symbolic link following in .apm/prompts/.prompt.md or .apm/agents/.agent.md
CVE-2026-45539 Misconfiguration Microsoft APM apm-cli deploy roots not added to .gitignore
CVE-2026-45539 Path Traversal Microsoft APM apm-cli fixed in version 0.13.0

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8695: radare2 Use-After-Free Allows Remote Code Execution

CVE-2026-8695 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo...

vulnerabilityCVEhigh-severitycode-executioncwe-416
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-46383 — Microsoft APM is an open-source, community-driven

CVE-2026-46383 — Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure...

vulnerabilityCVEmedium-severitycwe-22cwe-73
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 3 IOCs /⚙ 3 Sigma

Tabby Terminal Vulnerability CVE-2026-45037 Allows OS Protocol Handler Hijack

CVE-2026-45037 — Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating...

vulnerabilityCVEhigh-severitycwe-184cwe-601
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma