Denial of Service Vulnerability in GuardDog CLI Tool from DataDog
CVE-2026-22870

7.1HIGH

Key Information:

Vendor: Datadog
Status: Guarddog
Vendor: CVE Published:; 13 January 2026

What is CVE-2026-22870?

The GuardDog CLI tool, developed by DataDog to identify malicious PyPI packages, contains a vulnerability in its safe_extract() function. Versions prior to 2.7.1 fail to validate decompressed file sizes when extracting ZIP archives, such as wheels and eggs. This oversight allows attackers to leverage zip bombs, effectively causing a denial of service by consuming significant disk space—potentially gigabytes—from merely a few megabytes of compressed data. An update to version 2.7.1 addresses this issue.

Affected Version(s)

guarddog < 2.7.1

References

https://github.com/DataDog/guarddog/security/advisories/G...

x_refsource_CONFIRM

https://github.com/DataDog/guarddog/commit/c3fb07b4838945...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Jan 12, 2026

CVE-2026-22870 Data

JSON

Datadog

What is CVE-2026-22870?

Affected Version(s)

References

CVSS V4

Timeline