Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.
AnalysisAI
Remote code execution in Guardrails AI through version 0.6.7 occurs when installing validator packages via the Hub mechanism. The guardrails hub install command dynamically executes post-installation scripts from Hub manifests without validating the script path or content, allowing attackers who publish malicious packages to achieve arbitrary code execution on victim systems during package installation. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS (18th percentile), this represents a supply chain attack requiring user-initiated installation rather than widespread automated exploitation. No active exploitation confirmed (not in CISA KEV), and patch availability not confirmed from available data.
Technical ContextAI
Guardrails AI is an ML validation framework with a package ecosystem hosted on Guardrails Hub. The vulnerability stems from CWE-94 (Improper Control of Generation of Code, aka code injection) in the Hub client's package installation workflow. When executing guardrails hub install, the client retrieves a JSON manifest from the remote Hub repository containing metadata including a post_install field specifying a script path. The client constructs the full script path by concatenating untrusted manifest data with local filesystem paths, then executes this script without input validation, path traversal checks, or sandboxing. This trust-on-first-use model assumes all Hub packages are benign, creating a supply chain attack vector. The CPE data is incomplete (cpe:2.3:a:n/a:n/a), reflecting the package's relative obscurity in vulnerability databases, though the GitHub repository at guardrails-ai/guardrails confirms the product identity.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed. The Notion page at https://www.notion.so/CVE-2026-31233-35d1e13931888142a954fb3f50ee0c94 may contain vendor remediation guidance but access requires authentication. Monitor the GitHub repository https://github.com/guardrails-ai/guardrails for security advisories and commit history indicating input validation fixes to the Hub installation mechanism. As compensating controls until a confirmed patch: (1) Avoid installing third-party validator packages from Guardrails Hub in production environments - this eliminates the attack vector entirely but breaks Hub ecosystem functionality. (2) Review Hub package manifests manually before installation by inspecting the post_install field in package metadata, though this requires technical expertise and defeats convenience. (3) Run guardrails hub install commands only in isolated containers or VMs with no access to sensitive data or credentials, containing potential RCE impact but adding operational overhead. (4) Implement network egress filtering to block outbound connections from ML training environments, preventing post-exploitation command-and-control but potentially breaking legitimate package dependencies. Each mitigation trades functionality or operational simplicity for security.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29556
GHSA-r6hf-g5x6-7pv9