CVE-2026-44971: GuardDog CLI Tool SSRF Vulnerability

CVE-2026-44971 Overview

CVE-2026-44971 is a Server-Side Request Forgery (SSRF) vulnerability in GuardDog, a command-line tool from DataDog used to identify malicious PyPI packages. The flaw affects versions 1.0.0 through 2.9.0. The programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement. GuardDog then attaches the caller's GitHub credentials to the resulting request. An attacker who can influence a scanned repository URL can redirect requests to attacker-controlled infrastructure and capture the GH_TOKEN used by GuardDog.

Critical Impact
Attackers can trigger SSRF and exfiltrate GitHub access tokens by supplying crafted repository URLs to GuardDog's programmatic scanning interface.

Affected Products

DataDog GuardDog 1.0.0 through 2.9.0
Programmatic remote project scanning path in GuardDog
GitHub token-bearing automation built on GuardDog

Discovery Timeline

2026-05-27 - CVE-2026-44971 published to NVD
2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44971

Vulnerability Analysis

GuardDog accepts repository URLs through its programmatic remote project scanning path. The code rewrites those URLs using a blind string replacement to construct an API endpoint. Because the rewrite does not validate the host or scheme, an attacker can craft a URL that produces an arbitrary destination after substitution.

GuardDog then issues an HTTP request to that destination and attaches the GitHub credentials supplied through GH_TOKEN. The receiving server obtains the bearer token in the Authorization header. The token grants the attacker the same GitHub access as the GuardDog operator, including repository read and write permissions tied to that token.

This weakness is classified under [CWE-918] Server-Side Request Forgery. The attack is network-reachable, requires no authentication on the GuardDog side, and needs no user interaction beyond the operator running a scan against an attacker-supplied URL.

Root Cause

The root cause is unsafe URL construction. The scanner performs a string-level replacement on the input URL instead of parsing it and validating the host against an allowlist. Credential attachment occurs unconditionally, so requests to non-GitHub hosts still receive the GH_TOKEN.

Attack Vector

An attacker hosts a repository reference, malicious package metadata, or any input that feeds a URL into GuardDog's remote scan path. When GuardDog rewrites and dispatches the request, the connection lands on the attacker's server with the GitHub token attached. The attacker then reuses the token against the GitHub API. See the GitHub Security Advisory GHSA-587r-mc96-6f2p for the maintainer's technical description.

Detection Methods for CVE-2026-44971

Indicators of Compromise

Outbound HTTPS requests from GuardDog hosts to domains other than api.github.com or github.com carrying an Authorization header.
GitHub audit log entries showing GH_TOKEN usage from IP addresses that do not match the GuardDog runner or CI environment.
Unexpected repository clone, fork, or token-introspection events on accounts linked to GuardDog automation.

Detection Strategies

Inspect egress traffic from CI runners and developer workstations executing GuardDog for non-GitHub destinations during scans.
Correlate GuardDog scan invocations with GitHub API access logs to flag tokens used outside expected source ranges.
Review GuardDog scan inputs for repository URLs containing unusual characters, encoded segments, or non-GitHub hostnames.

Monitoring Recommendations

Enable GitHub fine-grained personal access token logging and alert on usage from unfamiliar IPs.
Forward CI/CD egress proxy logs into a centralized analytics pipeline and search for Authorization headers leaving the network.
Track GuardDog process invocations and command-line arguments on build agents to retain forensic context.

How to Mitigate CVE-2026-44971

Immediate Actions Required

Stop running GuardDog versions 1.0.0 through 2.9.0 against untrusted repository URLs until a fixed release is installed.
Rotate any GH_TOKEN values that have been used with vulnerable GuardDog versions, especially in shared CI environments.
Restrict GuardDog runners to egress proxies that allowlist api.github.com and github.com only.

Patch Information

DataDog has published GHSA-587r-mc96-6f2p describing the fix. Upgrade to the patched GuardDog release referenced in that advisory and verify the installed version with guarddog --version before resuming scans.

Workarounds

Pass only validated, GitHub-hosted repository URLs to GuardDog's programmatic scan API and reject any input whose host is not github.com.
Run GuardDog with a scoped, short-lived GitHub token that has read-only access to the specific repositories being scanned.
Execute scans inside an isolated network namespace that blocks outbound traffic to all hosts except the GitHub API.

bash

# Configuration example
# Restrict GuardDog egress with an explicit allowlist (example using iptables)
iptables -A OUTPUT -p tcp -d api.github.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d github.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j REJECT

# Use a least-privilege, short-lived GitHub token
export GH_TOKEN="$(gh auth token --scopes repo:read)"