Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI.
Affected: any user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026.
Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems.
For the full timeline, technical details, and remediation steps we have taken, see SECURITY_ADVISORY.md.
Patches
No patched version above 0.10.1 is available yet. Downgrade to 0.10.0, which is unaffected.
Workarounds
1. Pin to a safe version:
guardrails-ai==0.10.0
2. While the PyPI quarantine is active, install from GitHub:
pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0
The v0.10.0 tag in this repository is clean. Track quarantine status here: #1473.
3. If you installed 0.10.1, treat the host as potentially compromised. Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories.
4. Snowglobe and Guardrails Hub users : all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption.
References
- Full advisory, timeline, and remediation details: SECURITY_ADVISORY.md
AnalysisAI
Supply chain compromise in the guardrails-ai Python package allows attackers to execute embedded malicious code on any developer or production host that installed version 0.10.1 from PyPI on May 11, 2026. The malicious release was live for roughly two hours before PyPI quarantined it, and the vendor reports no observed callbacks to Guardrails AI infrastructure, but any system that pulled 0.10.1 should be treated as compromised. No public exploit identified at time of analysis as a separate artifact - the package itself is the exploit, and exploitation requires user interaction (the install action) per the CVSS UI:R designation.
Technical ContextAI
guardrails-ai is a Python library distributed via PyPI used to add validation, structure, and safety guardrails around LLM outputs in AI applications. The compromise is classified as CWE-506 (Embedded Malicious Code), meaning a trusted distribution channel - the official PyPI package name - was used to ship attacker-controlled code inside an otherwise legitimate-looking release. The affected artifact is identified by CPE pkg:pip/guardrails-ai at version 0.10.1; because pip installations execute setup/build hooks and import package code at runtime, any environment that ran pip install guardrails-ai==0.10.1 (including unpinned installs resolving to 'latest' during the two-hour window) executed the attacker's payload with the privileges of the installing user.
RemediationAI
No vendor-released patch identified at time of analysis above 0.10.1; the vendor's directed fix is to downgrade to the unaffected 0.10.0 release by pinning guardrails-ai==0.10.0 in requirements files and lockfiles, and while the PyPI quarantine is still active install directly from the clean Git tag using pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0. Any host that installed 0.10.1 should be treated as potentially compromised: rebuild the machine or container image, rotate every credential reachable from it (GitHub PATs, cloud provider keys, package registry tokens, API keys), and audit linked GitHub accounts for unauthorized workflows, deploy keys, or new repositories. Snowglobe and Guardrails Hub users must rotate API keys before 2026-05-13 14:00 Pacific, when the vendor will invalidate all keys as a precaution - note this will break unattended jobs that have not been re-keyed. See the advisory at https://github.com/guardrails-ai/guardrails/security/advisories/GHSA-xmpw-2vmm-p4p6 for the full step list.
Same weakness CWE-506 – Embedded Malicious Code
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34912
GHSA-xmpw-2vmm-p4p6