PYSEC-2026-2409
Vulnerability from pysec - Published: 2026-07-13 15:15 - Updated: 2026-07-13 16:03
VLAI
Details
Summary
The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.
Threat scenario
Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.
Patch
- Dockerfile adds
RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app. - Followed by
USER ciguardbefore theCMDdirective. - Trivy DS-0002 misconfig clears (
Tests: 20 SUCCESSES: 20 FAILURES: 0).
Discovery
Found by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26.
CVSS Scoring
- CVSS v3.1:
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N— 2.0 (Low) - CVSS v4.0:
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N— 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low.
Verification
$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id
uid=999(ciguard) gid=999(ciguard) groups=999(ciguard)
References
Severity
Impacted products
| Name | purl | ciguard | pkg:pypi/ciguard |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ciguard",
"purl": "pkg:pypi/ciguard"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "0.8.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.0",
"0.1.1",
"0.1.2",
"0.1.3",
"0.1.4",
"0.2.0",
"0.2.1",
"0.3.0",
"0.4.0",
"0.4.1",
"0.5.0",
"0.6.0",
"0.6.1",
"0.7.0",
"0.8.1"
]
}
],
"aliases": [
"CVE-2026-44218",
"GHSA-jrm4-4pcf-4763"
],
"details": "## Summary\n\nThe published `ghcr.io/jo-jo98/ciguard` container image inherits the default root user because the `Dockerfile` lacks a `USER` directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.\n\n## Threat scenario\n\nDefence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.\n\n## Patch\n\n- Dockerfile adds `RUN groupadd -r ciguard \u0026\u0026 useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard \u0026\u0026 chown -R ciguard:ciguard /reports /policies-mount /app`.\n- Followed by `USER ciguard` before the `CMD` directive.\n- Trivy DS-0002 misconfig clears (`Tests: 20 SUCCESSES: 20 FAILURES: 0`).\n\n## Discovery\n\nFound by Trivy filesystem scan during ciguard\u0027s first self-conducted pentest cycle, 2026-04-26.\n\n## CVSS Scoring\n\n- CVSS v3.1: `CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N` \u2014 2.0 (Low)\n- CVSS v4.0: `CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` \u2014 3.4 (Low) per Cycle 1 report; GitHub\u0027s calc 1.8 (Low). Both Low.\n\n## Verification\n\n```\n$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id\nuid=999(ciguard) gid=999(ciguard) groups=999(ciguard)\n```\n\n## References\n\n- Fix released in [v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2)\n- CI regression gate added in [v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3)\n- https://www.cve.org/CVERecord?id=CVE-2026-44218",
"id": "PYSEC-2026-2409",
"modified": "2026-07-13T16:03:42.071771Z",
"published": "2026-07-13T15:15:38.486819Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-jrm4-4pcf-4763"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44218"
},
{
"type": "PACKAGE",
"url": "https://github.com/Jo-Jo98/ciguard"
},
{
"type": "WEB",
"url": "https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2"
},
{
"type": "WEB",
"url": "https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/ciguard"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jrm4-4pcf-4763"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ciguard: Container image runs as root (no USER directive)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…