Skip to main content

Guardrails AI CVE-2026-31233

| EUVDEUVD-2026-29556 CRITICAL
Code Injection (CWE-94)
2026-05-12 mitre GHSA-r6hf-g5x6-7pv9
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 20:23 vuln.today
CVSS changed
May 14, 2026 - 20:22 NVD
9.8 (CRITICAL)
CVE Published
May 12, 2026 - 00:00 nvd
CRITICAL 9.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.

AnalysisAI

Remote code execution in Guardrails AI through version 0.6.7 occurs when installing validator packages via the Hub mechanism. The guardrails hub install command dynamically executes post-installation scripts from Hub manifests without validating the script path or content, allowing attackers who publish malicious packages to achieve arbitrary code execution on victim systems during package installation. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS (18th percentile), this represents a supply chain attack requiring user-initiated installation rather than widespread automated exploitation. No active exploitation confirmed (not in CISA KEV), and patch availability not confirmed from available data.

Technical ContextAI

Guardrails AI is an ML validation framework with a package ecosystem hosted on Guardrails Hub. The vulnerability stems from CWE-94 (Improper Control of Generation of Code, aka code injection) in the Hub client's package installation workflow. When executing guardrails hub install, the client retrieves a JSON manifest from the remote Hub repository containing metadata including a post_install field specifying a script path. The client constructs the full script path by concatenating untrusted manifest data with local filesystem paths, then executes this script without input validation, path traversal checks, or sandboxing. This trust-on-first-use model assumes all Hub packages are benign, creating a supply chain attack vector. The CPE data is incomplete (cpe:2.3:a:n/a:n/a), reflecting the package's relative obscurity in vulnerability databases, though the GitHub repository at guardrails-ai/guardrails confirms the product identity.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed. The Notion page at https://www.notion.so/CVE-2026-31233-35d1e13931888142a954fb3f50ee0c94 may contain vendor remediation guidance but access requires authentication. Monitor the GitHub repository https://github.com/guardrails-ai/guardrails for security advisories and commit history indicating input validation fixes to the Hub installation mechanism. As compensating controls until a confirmed patch: (1) Avoid installing third-party validator packages from Guardrails Hub in production environments - this eliminates the attack vector entirely but breaks Hub ecosystem functionality. (2) Review Hub package manifests manually before installation by inspecting the post_install field in package metadata, though this requires technical expertise and defeats convenience. (3) Run guardrails hub install commands only in isolated containers or VMs with no access to sensitive data or credentials, containing potential RCE impact but adding operational overhead. (4) Implement network egress filtering to block outbound connections from ML training environments, preventing post-exploitation command-and-control but potentially breaking legitimate package dependencies. Each mitigation trades functionality or operational simplicity for security.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-31233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy