{"data":{"id":"c1ca171d-7ace-46ef-8814-20f82f6594e0","title":"GHSA-8cxw-cc62-q28v: ciguard: discover_pipeline_files follows symlinks out of scan root","summary":"The `discover_pipeline_files()` function in ciguard (a tool used by AI agents to scan code repositories) followed symlinks (shortcuts that point to other directories) without proper restrictions, allowing an attacker to trick it into reading sensitive files outside the intended scan directory. An AI agent scanning a malicious folder with planted symlinks could accidentally expose secrets from system directories like ~/.aws/ or /etc/.","solution":"Fixed in v0.8.2 and v0.8.3. The patch adds a new `follow_symlinks: bool = False` parameter to `discover_pipeline_files()` that refuses to descend into symlinked directories or files by default. Additionally, all results are filtered to verify their resolved paths lie under the requested root directory, even if callers enable symlink following.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-8cxw-cc62-q28v","publishedAt":"2026-05-05T22:19:23.000Z","cveId":"CVE-2026-44220","cweIds":null,"cvssScore":null,"cvssSeverity":"low","severity":"low","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["ciguard@>= 0.8.0, <= 0.8.1 (fixed: 0.8.2)"],"affectedVendors":[],"affectedVendorsRaw":["Claude Desktop","Claude Code","Cursor","ciguard","Claude SDK for Python"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-05T22:19:23.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}