Skip to main content

ciguard CVE-2026-44220

LOW
Improper Link Resolution Before File Access (CWE-59)
2026-05-05 https://github.com/Jo-Jo98/ciguard GHSA-8cxw-cc62-q28v
3.2
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.2 LOW
AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 20:22 NVD
3.2 (LOW)
Source Code Evidence Fetched
May 05, 2026 - 23:02 vuln.today
Analysis Generated
May 05, 2026 - 23:02 vuln.today

DescriptionGitHub Advisory

Summary

The discover_pipeline_files() function in src/ciguard/discovery.py (introduced in v0.8.0 and used by the MCP scan_repo tool shipped in v0.8.1) walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory the user (or AI agent) scans can cause discovery to walk into the symlink target and return paths to pipeline-shaped files outside the requested root.

Threat scenario

MCP confused-deputy. A user runs Claude Desktop / Claude Code / Cursor with the ciguard MCP server registered. The agent is fed an adversarial prompt to scan a directory containing planted symlinks (e.g. via a malicious clone or extracted tarball). ciguard.scan_repo walks the symlinks, returning paths and (via subsequent scan calls) file content from ~/.aws/, ~/.config/, /etc/some-pipeline-config/, etc. Pipeline files often contain hardcoded secrets, internal hostnames, deploy keys.

Patch

  • New follow_symlinks: bool = False parameter on discover_pipeline_files. Default refuses to descend into symlinked directories OR symlinked files.
  • Belt-and-braces: results are filtered to those whose .resolve() lies under root.resolve(), applied even when callers opt in to follow_symlinks=True.
  • 3 regression tests in tests/test_discovery.py::TestSymlinkSafety.

Discovery

Found during ciguard's first self-conducted penetration test cycle (PTES + OWASP TG v4.2 + CREST framing), 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N - 4.4 (Medium)
  • CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N - first.org calc 5.7 (Medium); GitHub's calc returns 2.4 (Low). Vector is correct - calculator profiles differ.

Reproduction

python
from pathlib import Path
from ciguard.discovery import discover_pipeline_files
# In a victim dir, plant: trojan -> /etc
# (or any other accessible dir containing pipeline-shaped files)
for f in discover_pipeline_files(Path('/tmp/victim')):
    print(f)
# pre-fix: includes paths under /etc; post-fix: only /tmp/victim/

References

See also: GHSA-w828-4qhx-vxx3 - same conceptual pattern (path-validation flaw in an AI-agent tool) in Claude SDK for Python, CWE-59 + CWE-367

AnalysisAI

The discover_pipeline_files() function in ciguard v0.8.0-0.8.1 follows symlinks during directory traversal without validating that discovered paths remain within the scan root, allowing an attacker who plants symlinks in a scanned directory to cause the MCP server to leak file paths and contents from sensitive locations such as ~/.aws/, ~/.config/, and /etc/. This information disclosure vulnerability affects users of ciguard integrated with Claude Desktop, Claude Code, or Cursor, and is patched in v0.8.2 with default symlink following disabled and path validation applied.

Technical ContextAI

ciguard is a Python-based security scanning tool distributed via pip that includes an MCP (Model Context Protocol) server exposing a scan_repo tool for AI agents. The vulnerable discover_pipeline_files() function in src/ciguard/discovery.py walks directory trees to locate pipeline configuration files (CI/CD, Jenkins, GitHub Actions, GitLab CI, etc.). The function implements cycle protection by tracking resolved paths, but fails to validate that the resolved paths of discovered files remain within the requested root directory. This is a classic CWE-59 (Improper Link Resolution Before File Access) violation compounded by CWE-367 (Time-of-check Time-of-use Race Condition) semantics - the symlink target is resolved after the root is specified but before output is validated against the root. The patch introduces a follow_symlinks parameter (default False) and adds belt-and-braces filtering that resolves all discovered file paths and compares them against root.resolve(), rejecting any that escape the requested directory.

RemediationAI

Upgrade to ciguard v0.8.2 or later immediately. The patch disables symlink following by default in discover_pipeline_files() and validates all discovered paths against the scan root using resolve() even if callers explicitly set follow_symlinks=True. No workaround is available for v0.8.0-0.8.1 other than avoiding the MCP server or restricting it to trusted, attacker-controlled-free directories. If upgrading is not immediately possible, disable the ciguard MCP server registration in Claude Desktop / Code / Cursor until patched, or restrict the agent's ability to scan untrusted repositories and archives. See https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-8cxw-cc62-q28v for detailed patch notes and https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2 for the fix release.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy