ciguard CVE-2026-44220
LOWSeverity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The discover_pipeline_files() function in src/ciguard/discovery.py (introduced in v0.8.0 and used by the MCP scan_repo tool shipped in v0.8.1) walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory the user (or AI agent) scans can cause discovery to walk into the symlink target and return paths to pipeline-shaped files outside the requested root.
Threat scenario
MCP confused-deputy. A user runs Claude Desktop / Claude Code / Cursor with the ciguard MCP server registered. The agent is fed an adversarial prompt to scan a directory containing planted symlinks (e.g. via a malicious clone or extracted tarball). ciguard.scan_repo walks the symlinks, returning paths and (via subsequent scan calls) file content from ~/.aws/, ~/.config/, /etc/some-pipeline-config/, etc. Pipeline files often contain hardcoded secrets, internal hostnames, deploy keys.
Patch
- New
follow_symlinks: bool = Falseparameter ondiscover_pipeline_files. Default refuses to descend into symlinked directories OR symlinked files. - Belt-and-braces: results are filtered to those whose
.resolve()lies underroot.resolve(), applied even when callers opt in tofollow_symlinks=True. - 3 regression tests in
tests/test_discovery.py::TestSymlinkSafety.
Discovery
Found during ciguard's first self-conducted penetration test cycle (PTES + OWASP TG v4.2 + CREST framing), 2026-04-26.
CVSS Scoring
- CVSS v3.1:
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N- 4.4 (Medium) - CVSS v4.0:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N- first.org calc 5.7 (Medium); GitHub's calc returns 2.4 (Low). Vector is correct - calculator profiles differ.
Reproduction
from pathlib import Path
from ciguard.discovery import discover_pipeline_files
# In a victim dir, plant: trojan -> /etc
# (or any other accessible dir containing pipeline-shaped files)
for f in discover_pipeline_files(Path('/tmp/victim')):
print(f)
# pre-fix: includes paths under /etc; post-fix: only /tmp/victim/References
See also: GHSA-w828-4qhx-vxx3 - same conceptual pattern (path-validation flaw in an AI-agent tool) in Claude SDK for Python, CWE-59 + CWE-367
AnalysisAI
The discover_pipeline_files() function in ciguard v0.8.0-0.8.1 follows symlinks during directory traversal without validating that discovered paths remain within the scan root, allowing an attacker who plants symlinks in a scanned directory to cause the MCP server to leak file paths and contents from sensitive locations such as ~/.aws/, ~/.config/, and /etc/. This information disclosure vulnerability affects users of ciguard integrated with Claude Desktop, Claude Code, or Cursor, and is patched in v0.8.2 with default symlink following disabled and path validation applied.
Technical ContextAI
ciguard is a Python-based security scanning tool distributed via pip that includes an MCP (Model Context Protocol) server exposing a scan_repo tool for AI agents. The vulnerable discover_pipeline_files() function in src/ciguard/discovery.py walks directory trees to locate pipeline configuration files (CI/CD, Jenkins, GitHub Actions, GitLab CI, etc.). The function implements cycle protection by tracking resolved paths, but fails to validate that the resolved paths of discovered files remain within the requested root directory. This is a classic CWE-59 (Improper Link Resolution Before File Access) violation compounded by CWE-367 (Time-of-check Time-of-use Race Condition) semantics - the symlink target is resolved after the root is specified but before output is validated against the root. The patch introduces a follow_symlinks parameter (default False) and adds belt-and-braces filtering that resolves all discovered file paths and compares them against root.resolve(), rejecting any that escape the requested directory.
RemediationAI
Upgrade to ciguard v0.8.2 or later immediately. The patch disables symlink following by default in discover_pipeline_files() and validates all discovered paths against the scan root using resolve() even if callers explicitly set follow_symlinks=True. No workaround is available for v0.8.0-0.8.1 other than avoiding the MCP server or restricting it to trusted, attacker-controlled-free directories. If upgrading is not immediately possible, disable the ciguard MCP server registration in Claude Desktop / Code / Cursor until patched, or restrict the agent's ability to scan untrusted repositories and archives. See https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-8cxw-cc62-q28v for detailed patch notes and https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2 for the fix release.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8cxw-cc62-q28v