CVE-2026-44641: Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install
Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer’s machine during apm install.
In the verified primary proof of concept, a malicious plugin sets plugin.json.commands to an external markdown file. A single apm install copies that outside file into .apm/prompts/ and then auto-integrates it into .github/prompts/secret.prompt.md in the victim project. This is a local supply-chain trust-boundary violation with direct confidentiality and integrity impact.
Reviewed version and commit:
apm-cliversion0.8.11maincommit70b34faa16a5a783424698163deeb028854fd23a
References
Code Behaviors & Features
Detect and mitigate CVE-2026-44641 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →