AI Threat Alert
## Summary The `discover_pipeline_files()` function in `src/ciguard/discovery.py` (introduced in v0.8.0 and used by the MCP `scan_repo` tool shipped in v0.8.1) walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink...
Full CISO analysis pending enrichment.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ciguard | pip | >= 0.8.0, <= 0.8.1 | 0.8.2 |
Do you use ciguard? You're affected.
Severity & Risk
Attack Surface
Recommended Action
Patch available
Update ciguard to version 0.8.2
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-44220?
ciguard: discover_pipeline_files follows symlinks out of scan root
Is CVE-2026-44220 actively exploited?
No confirmed active exploitation of CVE-2026-44220 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-44220?
Update to patched version: ciguard 0.8.2.
What is the CVSS score for CVE-2026-44220?
No CVSS score has been assigned yet.
Technical Details
NVD Description
## Summary The `discover_pipeline_files()` function in `src/ciguard/discovery.py` (introduced in v0.8.0 and used by the MCP `scan_repo` tool shipped in v0.8.1) walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory the user (or AI agent) scans can cause discovery to walk into the symlink target and return paths to pipeline-shaped files outside the requested root. ## Threat scenario **MCP confused-deputy.** A user runs Claude Desktop / Claude Code / Cursor with the ciguard MCP server registered. The agent is fed an adversarial prompt to scan a directory containing planted symlinks (e.g. via a malicious clone or extracted tarball). `ciguard.scan_repo` walks the symlinks, returning paths and (via subsequent `scan` calls) file content from `~/.aws/`, `~/.config/`, `/etc/some-pipeline-config/`, etc. Pipeline files often contain hardcoded secrets, internal hostnames, deploy keys. ## Patch - New `follow_symlinks: bool = False` parameter on `discover_pipeline_files`. Default refuses to descend into symlinked directories OR symlinked files. - Belt-and-braces: results are filtered to those whose `.resolve()` lies under `root.resolve()`, applied even when callers opt in to `follow_symlinks=True`. - 3 regression tests in `tests/test_discovery.py::TestSymlinkSafety`. ## Discovery Found during ciguard's first self-conducted penetration test cycle (PTES + OWASP TG v4.2 + CREST framing), 2026-04-26. ## CVSS Scoring - CVSS v3.1: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N` — 4.4 (Medium) - CVSS v4.0: `CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N` — first.org calc 5.7 (Medium); GitHub's calc returns 2.4 (Low). Vector is correct — calculator profiles differ. ## Reproduction ```python from pathlib import Path from ciguard.discovery import discover_pipeline_files # In a victim dir, plant: trojan -> /etc # (or any other accessible dir containing pipeline-shaped files) for f in discover_pipeline_files(Path('/tmp/victim')): print(f) # pre-fix: includes paths under /etc; post-fix: only /tmp/victim/ ``` ## References - Fix released in [v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2) - CI regression gate added in [v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3) See also: [GHSA-w828-4qhx-vxx3](https://github.com/advisories/GHSA-w828-4qhx-vxx3) — same conceptual pattern (path-validation flaw in an AI-agent tool) in Claude SDK for Python, CWE-59 + CWE-367
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N