CVE-2026-44972 DataDog CVE debrief

Who should care

Security teams using GuardDog for PyPI package analysis; DevSecOps engineers integrating GuardDog into CI/CD pipelines; SOC analysts reviewing GuardDog output in terminal environments

Technical summary

GuardDog versions 2.6.0 through 2.9.0 do not sanitize attacker-controlled data (filenames, paths, messages, code snippets) before outputting to terminal. This enables injection of ANSI escape sequences (cursor manipulation, color changes) and OSC escape sequences (clipboard access, window title changes, arbitrary command execution in some terminal emulators). The vulnerability requires an analyst to scan a malicious package with GuardDog and view the output in a vulnerable terminal. Impact is limited by local attack vector and user interaction requirement, but scope is changed due to downstream impact on CI systems.

Defensive priority

medium

Recommended defensive actions

• Upgrade GuardDog to version 2.9.1 or later which contains the fix for terminal escape sequence injection
• Review CI/CD pipeline logs for unexpected ANSI or OSC escape sequences that may indicate exploitation attempts
• Implement output sanitization wrappers for GuardDog execution in automated environments until patched
• Audit PyPI packages scanned by GuardDog for embedded terminal control characters in filenames or code snippets
• Consider running GuardDog in isolated environments with terminal emulation disabled for CI/CD pipelines

Evidence notes

Vulnerability affects GuardDog CLI tool versions 2.6.0 to 2.9.0. Attack vector requires local access with user interaction. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Official resources