Summary
The discover_pipeline_files() function in src/ciguard/discovery.py (introduced in v0.8.0 and used by the MCP scan_repo tool shipped in v0.8.1) walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory the user (or AI agent) scans can cause discovery to walk into the symlink target and return paths to pipeline-shaped files outside the requested root.
Threat scenario
MCP confused-deputy. A user runs Claude Desktop / Claude Code / Cursor with the ciguard MCP server registered. The agent is fed an adversarial prompt to scan a directory containing planted symlinks (e.g. via a malicious clone or extracted tarball). ciguard.scan_repo walks the symlinks, returning paths and (via subsequent scan calls) file content from ~/.aws/, ~/.config/, /etc/some-pipeline-config/, etc. Pipeline files often contain hardcoded secrets, internal hostnames, deploy keys.
Discovery
Found during ciguard's first self-conducted penetration test cycle (PTES + OWASP TG v4.2 + CREST framing), 2026-04-26.
CVSS Scoring
- CVSS v3.1:
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N, 4.4 (Medium) - CVSS v4.0:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N, first.org calc 5.7 (Medium); GitHub's calc returns 2.4 (Low). Vector is correct, calculator profiles differ.
Reproduction
from pathlib import Path
from ciguard.discovery import discover_pipeline_files
# In a victim dir, plant: trojan -> /etc
# (or any other accessible dir containing pipeline-shaped files)
for f in discover_pipeline_files(Path('/tmp/victim')):
print(f) # pre-fix: includes paths under /etc; post-fix: only /tmp/victim/
References
- Fix released in v0.8.2
- CI regression gate added in v0.8.3
- https://www.cve.org/CVERecord?id=CVE-2026-44220
See also: GHSA-w828-4qhx-vxx3, same conceptual pattern (path-validation flaw in an AI-agent tool) in Claude SDK for Python, CWE-59 + CWE-367
Impact
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
- New
follow_symlinks: bool = Falseparameter ondiscover_pipeline_files. Default refuses to descend into symlinked directories OR symlinked files. - Belt-and-braces: results are filtered to those whose
.resolve()lies underroot.resolve(), applied even when callers opt in tofollow_symlinks=True. - 3 regression tests in
tests/test_discovery.py::TestSymlinkSafety.
Frequently Asked Questions
- What is CVE-2026-44220? CVE-2026-44220 is a low-severity security vulnerability in ciguard (pip), affecting versions >= 0.8.0, <= 0.8.1. It is fixed in 0.8.2.
- Which versions of ciguard are affected by CVE-2026-44220? ciguard (pip) versions >= 0.8.0, <= 0.8.1 is affected.
- Is there a fix for CVE-2026-44220? Yes. CVE-2026-44220 is fixed in 0.8.2. Upgrade to this version or later.
- Is CVE-2026-44220 exploitable, and should I be worried? Whether CVE-2026-44220 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44220 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44220? Upgrade
ciguardto 0.8.2 or later.