ciguard CVE-2026-44218
LOWSeverity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.
Threat scenario
Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.
Patch
- Dockerfile adds
RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app. - Followed by
USER ciguardbefore theCMDdirective. - Trivy DS-0002 misconfig clears (
Tests: 20 SUCCESSES: 20 FAILURES: 0).
Discovery
Found by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26.
CVSS Scoring
- CVSS v3.1:
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N- 2.0 (Low) - CVSS v4.0:
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N- 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low.
Verification
$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id
uid=999(ciguard) gid=999(ciguard) groups=999(ciguard)Resources
AnalysisAI
The ciguard static analysis container image (versions 0.1.0-0.8.1) runs as root due to a missing USER directive in the Dockerfile, creating a privilege-escalation amplification risk for future container-runtime escape vulnerabilities. This is a defence-in-depth gap rather than a directly exploitable vulnerability; it reduces the impact of hypothetical escapes (such as runc CVE-2024-21626) from host-root compromise to non-root user compromise. Vendor-released patch in v0.8.2 adds a dedicated non-root ciguard user and USER directive, verified by container inspection and automated regression testing in v0.8.3.
Technical ContextAI
The vulnerability stems from missing containerization best practice in the Dockerfile: absence of a USER directive causes the container to inherit the default root user (UID 0). ciguard is a static analyser (Python-based, CPE pkg:pip/ciguard) with no operational need for root privileges. The root cause is classified as CWE-269 (Improper Assignment of Privileged Roles). The threat model exploits the principle that container-runtime escape CVEs (such as runc privilege-escalation flaws) have amplified impact when the escaped process already has root privileges. By establishing a non-root user in the Dockerfile and dropping privileges before CMD execution, the patch reduces the blast radius of future escapes: even if a container-runtime bug allows host-system code execution, it executes as the non-root ciguard user rather than root. The fix creates the ciguard group and user, restricts ownership of sensitive directories (/reports, /policies-mount, /app), and sets nologin shell to further limit interactive access.
RemediationAI
Upgrade to ciguard v0.8.2 or later. The patch adds a dedicated non-root user and USER directive to the Dockerfile; verification by running docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id confirms execution as UID 999 (ciguard user) rather than UID 0. For users unable to upgrade immediately, a compensating control is to rebuild the container image locally with an added USER directive: after the base image and application setup, insert RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /app /reports /policies-mount followed by USER ciguard before the CMD directive. This approach carries no performance penalty but requires local image build and registry management. Additionally, implement pod security policies or Kubernetes SecurityContext enforcement to set runAsNonRoot: true and runAsUser: <non-zero> in container specs; this provides runtime validation even if the image is misconfigured. v0.8.3 adds permanent CI regression gates to prevent reintroduction of this misconfiguration (https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3).
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jrm4-4pcf-4763