How is CVE-2026-44971 exploited?

Network reachability (required): The attacker must be able to influence the repository URL that GuardDog fetches over the network, exposing the SSRF path to any caller that can supply or manipulate scan input remotely. Authentication (not-required): No credentials or account are required to trigger the vulnerability; the attacker only needs to control the repository URL supplied to GuardDog. Victim interaction (not-required): No user interaction is needed beyond the normal execution of a GuardDog remote project scan with an attacker-influenced URL. Attack complexity (info): Exploit complexity is low: no race conditions or special environmental factors are required; a crafted repository URL is sufficient to trigger the SSRF and credential forwarding.

What is the impact of CVE-2026-44971?

Reads the GH_TOKEN present in the scanning environment, granting the attacker whatever GitHub API access that token carries, which may include access to private repositories, organization membership, and workflow secrets. Exfiltrates the token to an attacker-controlled server via the SSRF-redirected credentialed HTTP request, making the exposure persistent until the token is rotated. Allows the attacker to make authenticated GitHub API calls on behalf of the token holder, including reading source code, listing collaborators, and triggering repository actions.

Back to search

HIGHCVE-2026-44971Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-44971: GuardDog: Blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog. This vulnerability is fixed in .

HarborGuard Analysis

HarborGuard analysis

Synopsis

A server-side request forgery (SSRF) vulnerability exists in GuardDog, a CLI tool for identifying malicious PyPI packages, versions 1.0.0 through 2.9.0. The flaw is reachable over the network with no authentication required: when GuardDog's remote project scanning path rewrites an attacker-controlled repository URL using a blind string replacement, it forwards the caller's GitHub credentials (GH_TOKEN) with the resulting outbound request. Successful exploitation lets an attacker redirect that credentialed request to an arbitrary destination and capture the GH_TOKEN. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-44971 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle GuardDog 1.0.0 through 2.9.0, across registries and CI pipelines.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.2 HIGH and weighting it against each environment's compliance policy to determine urgency. Routed findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment DataDog ships a corrected release. In the interim, triage alerts remain active and compensating-control guidance is surfaced alongside the finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to influence the repository URL that GuardDog fetches over the network, exposing the SSRF path to any caller that can supply or manipulate scan input remotely.
AuthenticationNot required
No credentials or account are required to trigger the vulnerability; the attacker only needs to control the repository URL supplied to GuardDog.
Victim interactionNot required
No user interaction is needed beyond the normal execution of a GuardDog remote project scan with an attacker-influenced URL.
Attack complexityDetail
Exploit complexity is low: no race conditions or special environmental factors are required; a crafted repository URL is sufficient to trigger the SSRF and credential forwarding.

Blast Radius

Reads the GH_TOKEN present in the scanning environment, granting the attacker whatever GitHub API access that token carries, which may include access to private repositories, organization membership, and workflow secrets.
Exfiltrates the token to an attacker-controlled server via the SSRF-redirected credentialed HTTP request, making the exposure persistent until the token is rotated.
Allows the attacker to make authenticated GitHub API calls on behalf of the token holder, including reading source code, listing collaborators, and triggering repository actions.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-44971 as of publication, the platform monitors the DataDog advisory on every ingest cycle and will automatically initiate a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix version is released. In the meantime, HarborGuard surfaces this finding with compensating-control recommendations: isolate GuardDog execution environments behind network egress policies that restrict outbound requests to known-good GitHub API endpoints only, avoid passing untrusted repository URLs to programmatic scan invocations, and rotate any GH_TOKEN used in scanning pipelines if exposure is suspected. Customers with compliance policies that flag unpatched HIGH-severity findings will see this CVE escalated in their policy dashboards until upstream remediation is available.

See how HarborGuard automates this

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

DataDog / guarddog
>= 1.0.0, <= 2.9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

https://github.com/DataDog/guarddog/security/advisories/GHSA-587r-mc96-6f2p