Skip to main content

ciguard CVE-2026-44218

LOW
Improper Privilege Management (CWE-269)
2026-05-05 https://github.com/Jo-Jo98/ciguard GHSA-jrm4-4pcf-4763
3.0
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.0 LOW
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 23:01 vuln.today
Analysis Generated
May 05, 2026 - 23:01 vuln.today

DescriptionGitHub Advisory

Summary

The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.

Threat scenario

Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.

Patch

  • Dockerfile adds RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app.
  • Followed by USER ciguard before the CMD directive.
  • Trivy DS-0002 misconfig clears (Tests: 20 SUCCESSES: 20 FAILURES: 0).

Discovery

Found by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N - 2.0 (Low)
  • CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N - 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low.

Verification

$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id
uid=999(ciguard) gid=999(ciguard) groups=999(ciguard)

Resources

AnalysisAI

The ciguard static analysis container image (versions 0.1.0-0.8.1) runs as root due to a missing USER directive in the Dockerfile, creating a privilege-escalation amplification risk for future container-runtime escape vulnerabilities. This is a defence-in-depth gap rather than a directly exploitable vulnerability; it reduces the impact of hypothetical escapes (such as runc CVE-2024-21626) from host-root compromise to non-root user compromise. Vendor-released patch in v0.8.2 adds a dedicated non-root ciguard user and USER directive, verified by container inspection and automated regression testing in v0.8.3.

Technical ContextAI

The vulnerability stems from missing containerization best practice in the Dockerfile: absence of a USER directive causes the container to inherit the default root user (UID 0). ciguard is a static analyser (Python-based, CPE pkg:pip/ciguard) with no operational need for root privileges. The root cause is classified as CWE-269 (Improper Assignment of Privileged Roles). The threat model exploits the principle that container-runtime escape CVEs (such as runc privilege-escalation flaws) have amplified impact when the escaped process already has root privileges. By establishing a non-root user in the Dockerfile and dropping privileges before CMD execution, the patch reduces the blast radius of future escapes: even if a container-runtime bug allows host-system code execution, it executes as the non-root ciguard user rather than root. The fix creates the ciguard group and user, restricts ownership of sensitive directories (/reports, /policies-mount, /app), and sets nologin shell to further limit interactive access.

RemediationAI

Upgrade to ciguard v0.8.2 or later. The patch adds a dedicated non-root user and USER directive to the Dockerfile; verification by running docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id confirms execution as UID 999 (ciguard user) rather than UID 0. For users unable to upgrade immediately, a compensating control is to rebuild the container image locally with an added USER directive: after the base image and application setup, insert RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /app /reports /policies-mount followed by USER ciguard before the CMD directive. This approach carries no performance penalty but requires local image build and registry management. Additionally, implement pod security policies or Kubernetes SecurityContext enforcement to set runAsNonRoot: true and runAsUser: <non-zero> in container specs; this provides runtime validation even if the image is misconfigured. v0.8.3 adds permanent CI regression gates to prevent reintroduction of this misconfiguration (https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3).

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-44218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy