Plataforma
python
Componente
guarddog
Corrigido em
2.7.2
2.7.1
CVE-2026-22871 describes a path traversal vulnerability discovered in the GuardDog Python package. This flaw enables malicious actors to overwrite arbitrary files, ultimately leading to Remote Code Execution (RCE) on affected systems. The vulnerability impacts versions of GuardDog up to and including 2.7.0, with a fix available in version 2.7.1.
The path traversal vulnerability in GuardDog allows attackers to bypass intended file system restrictions. By crafting malicious PyPI packages, an attacker can manipulate the safe_extract() function to write files outside the designated extraction directory. This file overwrite capability can be leveraged to inject malicious code, modify system configurations, or compromise sensitive data. Successful exploitation could grant an attacker complete control over the affected system, enabling them to execute arbitrary commands, steal credentials, or establish a persistent foothold. The potential blast radius extends to any system utilizing vulnerable versions of GuardDog, particularly those involved in automated software deployment or dependency management.
This vulnerability was publicly disclosed on January 13, 2026. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential for widespread impact make it a significant concern. The vulnerability's nature aligns with common supply chain attack vectors, increasing the risk of exploitation. No KEV listing is currently available.
Organizations utilizing GuardDog for automated software deployment, dependency management, or package extraction are at significant risk. This includes DevOps teams, CI/CD pipelines, and any environment where third-party Python packages are automatically installed. Shared hosting environments where multiple users may have access to the system are particularly vulnerable.
• python / supply-chain:
import os
import zipfile
def safe_extract(archive_path, extract_to):
with zipfile.ZipFile(archive_path, 'r') as zipf:
for member in zipf.infolist():
# Check if the extracted path is within the allowed directory
if not extract_to in member.filename:
print(f"Suspicious file: {member.filename}")• generic web: Check for unusual file modifications in the GuardDog installation directory using file integrity monitoring tools.
disclosure
Status do Exploit
EPSS
0.66% (percentil 71%)
CISA SSVC
The primary mitigation for CVE-2026-22871 is to upgrade to GuardDog version 2.7.1 or later, which addresses the path traversal vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting the directories accessible to GuardDog or implementing stricter file system permissions. Monitor PyPI for suspicious packages and review dependencies regularly. Consider using a software composition analysis (SCA) tool to identify vulnerable dependencies in your projects. After upgrading, confirm the fix by attempting to extract a test archive and verifying that files are written only to the intended directory.
Actualice la herramienta GuardDog a la versión 2.7.1 o superior. Esto solucionará la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos y la ejecución remota de código. Puede actualizar GuardDog utilizando el gestor de paquetes pip: `pip install --upgrade guarddog`.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-22871 is a Remote Code Execution vulnerability in the GuardDog Python package, allowing attackers to overwrite files and potentially gain control of systems.
You are affected if you are using GuardDog version 2.7.0 or earlier. Upgrade to 2.7.1 or later to mitigate the risk.
Upgrade to GuardDog version 2.7.1 or later. As a temporary workaround, restrict file system access or monitor for suspicious file modifications.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation warrants caution.
Refer to the GuardDog project's official security advisories and release notes for details: [https://github.com/guarddog-project/guarddog](https://github.com/guarddog-project/guarddog)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.