CVE-2026-44220

CVE-2026-44220 is a low-severity security vulnerability in ciguard (pip), affecting versions >= 0.8.0, <= 0.8.1. It is fixed in 0.8.2.

Summary

The discover_pipeline_files() function in src/ciguard/discovery.py (introduced in v0.8.0 and used by the MCP scan_repo tool shipped in v0.8.1) walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory the user (or AI agent) scans can cause discovery to walk into the symlink target and return paths to pipeline-shaped files outside the requested root.

Threat scenario

MCP confused-deputy. A user runs Claude Desktop / Claude Code / Cursor with the ciguard MCP server registered. The agent is fed an adversarial prompt to scan a directory containing planted symlinks (e.g. via a malicious clone or extracted tarball). ciguard.scan_repo walks the symlinks, returning paths and (via subsequent scan calls) file content from ~/.aws/, ~/.config/, /etc/some-pipeline-config/, etc. Pipeline files often contain hardcoded secrets, internal hostnames, deploy keys.

Discovery

Found during ciguard's first self-conducted penetration test cycle (PTES + OWASP TG v4.2 + CREST framing), 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N, 4.4 (Medium)
  • CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N, first.org calc 5.7 (Medium); GitHub's calc returns 2.4 (Low). Vector is correct, calculator profiles differ.

Reproduction

from pathlib import Path
from ciguard.discovery import discover_pipeline_files
# In a victim dir, plant: trojan -> /etc
# (or any other accessible dir containing pipeline-shaped files)
for f in discover_pipeline_files(Path('/tmp/victim')):
    print(f)  # pre-fix: includes paths under /etc; post-fix: only /tmp/victim/

References

See also: GHSA-w828-4qhx-vxx3, same conceptual pattern (path-validation flaw in an AI-agent tool) in Claude SDK for Python, CWE-59 + CWE-367

Impact

Affected versions

ciguard (>= 0.8.0, <= 0.8.1)

Security releases

ciguard → 0.8.2 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  • New follow_symlinks: bool = False parameter on discover_pipeline_files. Default refuses to descend into symlinked directories OR symlinked files.
  • Belt-and-braces: results are filtered to those whose .resolve() lies under root.resolve(), applied even when callers opt in to follow_symlinks=True.
  • 3 regression tests in tests/test_discovery.py::TestSymlinkSafety.

Frequently Asked Questions

  1. What is CVE-2026-44220? CVE-2026-44220 is a low-severity security vulnerability in ciguard (pip), affecting versions >= 0.8.0, <= 0.8.1. It is fixed in 0.8.2.
  2. Which versions of ciguard are affected by CVE-2026-44220? ciguard (pip) versions >= 0.8.0, <= 0.8.1 is affected.
  3. Is there a fix for CVE-2026-44220? Yes. CVE-2026-44220 is fixed in 0.8.2. Upgrade to this version or later.
  4. Is CVE-2026-44220 exploitable, and should I be worried? Whether CVE-2026-44220 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-44220 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-44220? Upgrade ciguard to 0.8.2 or later.

Other vulnerabilities in ciguard

CVE-2026-44220CVE-2026-44218

Stop the waste.
Protect your environment with Kodem.