CVE-2026-22871

Critical

Published: 13 January 2026

Published

13 January 2026

Modified

21 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22871 is a critical-severity Path Traversal (CWE-22) vulnerability in Datadoghq Guarddog. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 46.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly counters the path traversal vulnerability by requiring validation of file paths in GuardDog's safe_extract function during PyPI package extraction.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through timely flaw remediation by updating GuardDog to version 2.7.1 or later where the issue is fixed.

AC-6 Least Privilege partial match

prevent

Limits impact of arbitrary file overwrites and resulting RCE by enforcing least privilege on the GuardDog process, restricting write access to critical system areas.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in the client-side GuardDog tool enables unauthenticated remote code execution and arbitrary file writes when extracting malicious PyPI packages.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to…

Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1.

Deeper analysisAI

CVE-2026-22871 is a path traversal vulnerability (CWE-22) in the safe_extract() function of GuardDog, a CLI tool designed to identify malicious PyPI packages. Versions of GuardDog prior to 2.7.1 are affected, allowing malicious PyPI packages to write arbitrary files outside the intended extraction directory during analysis. This flaw enables arbitrary file overwrite and remote code execution on systems running the vulnerable GuardDog instance, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by any unauthenticated attacker with network access to a system running vulnerable GuardDog. By crafting a malicious PyPI package that triggers the path traversal in safe_extract(), the attacker can overwrite critical files or execute arbitrary code on the target system when GuardDog scans the package. No user interaction or privileges are required, making it highly exploitable in environments where GuardDog is used for automated PyPI package scanning.

The GuardDog security advisory (GHSA-xg9w-vg3g-6m68) and the fixing commit (9aa6a725b2c71d537d3c18d1c15621395ebb879c) confirm that the issue is resolved in version 2.7.1. Security practitioners should update to GuardDog 2.7.1 or later to mitigate the vulnerability.