ciguard: Container image runs as root (no USER directive)

CVE-2026-44218 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.

Threat scenario

Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.

Patch

  • Dockerfile adds RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app.
  • Followed by USER ciguard before the CMD directive.
  • Trivy DS-0002 misconfig clears (Tests: 20 SUCCESSES: 20 FAILURES: 0).

Discovery

Found by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N — 2.0 (Low)
  • CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N — 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low.

Verification

$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id
uid=999(ciguard) gid=999(ciguard) groups=999(ciguard)

References

  • Fix released in v0.8.2
  • CI regression gate added in v0.8.3
  • https://www.cve.org/CVERecord?id=CVE-2026-44218

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-05 22:18:15 UTC
Updated
2026-05-15 23:50:19 UTC
GitHub reviewed
2026-05-05 22:18:15 UTC
NVD published
2026-05-12 20:16:42 UTC

EPSS Score

Score Percentile
0.01% 1.16%

CVSS Scores

Base score Version Severity Vector
3.0 3.1
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
1.8 4.0
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:L)
Attacker needs local access on the target system.
Attack complexity (AC:H)
Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-jrm4-4pcf-4763 ↗
CVE CVE-2026-44218 ↗

CWEs

CWE id Name
CWE-269 Improper Privilege Management

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip ciguard >= 0.1.0, <= 0.8.1 0.8.2

References

cvelogic Threat Intelligence