CVE-2026-44971

Source
https://cve.org/CVERecord?id=CVE-2026-44971
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44971.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44971
Aliases
Published
2026-05-27T14:43:18.643Z
Modified
2026-07-08T08:13:41.693819460Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
GuardDog: Blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration
Details

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog. This vulnerability is fixed in .

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44971.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/datadog/guarddog

Affected ranges

Type
GIT
Repo
https://github.com/datadog/guarddog
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "1.0.0"
        },
        {
            "last_affected": "2.9.0"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.11.2
v1.2
v1.2.1
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.6.0
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.9.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44971.json"