Skip to main content

guardrails-ai CVE-2026-45758

| EUVDEUVD-2026-34912 CRITICAL
Embedded Malicious Code (CWE-506)
2026-05-19 https://github.com/guardrails-ai/guardrails GHSA-xmpw-2vmm-p4p6
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 16:30 vuln.today
Analysis Generated
May 19, 2026 - 16:30 vuln.today

DescriptionGitHub Advisory

Impact

On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI.

Affected: any user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026.

Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems.

For the full timeline, technical details, and remediation steps we have taken, see SECURITY_ADVISORY.md.

Patches

No patched version above 0.10.1 is available yet. Downgrade to 0.10.0, which is unaffected.

Workarounds

1. Pin to a safe version:

guardrails-ai==0.10.0

2. While the PyPI quarantine is active, install from GitHub:

pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0

The v0.10.0 tag in this repository is clean. Track quarantine status here: #1473.

3. If you installed 0.10.1, treat the host as potentially compromised. Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories.

4. Snowglobe and Guardrails Hub users : all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption.

References

AnalysisAI

Supply chain compromise in the guardrails-ai Python package allows attackers to execute embedded malicious code on any developer or production host that installed version 0.10.1 from PyPI on May 11, 2026. The malicious release was live for roughly two hours before PyPI quarantined it, and the vendor reports no observed callbacks to Guardrails AI infrastructure, but any system that pulled 0.10.1 should be treated as compromised. No public exploit identified at time of analysis as a separate artifact - the package itself is the exploit, and exploitation requires user interaction (the install action) per the CVSS UI:R designation.

Technical ContextAI

guardrails-ai is a Python library distributed via PyPI used to add validation, structure, and safety guardrails around LLM outputs in AI applications. The compromise is classified as CWE-506 (Embedded Malicious Code), meaning a trusted distribution channel - the official PyPI package name - was used to ship attacker-controlled code inside an otherwise legitimate-looking release. The affected artifact is identified by CPE pkg:pip/guardrails-ai at version 0.10.1; because pip installations execute setup/build hooks and import package code at runtime, any environment that ran pip install guardrails-ai==0.10.1 (including unpinned installs resolving to 'latest' during the two-hour window) executed the attacker's payload with the privileges of the installing user.

RemediationAI

No vendor-released patch identified at time of analysis above 0.10.1; the vendor's directed fix is to downgrade to the unaffected 0.10.0 release by pinning guardrails-ai==0.10.0 in requirements files and lockfiles, and while the PyPI quarantine is still active install directly from the clean Git tag using pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0. Any host that installed 0.10.1 should be treated as potentially compromised: rebuild the machine or container image, rotate every credential reachable from it (GitHub PATs, cloud provider keys, package registry tokens, API keys), and audit linked GitHub accounts for unauthorized workflows, deploy keys, or new repositories. Snowglobe and Guardrails Hub users must rotate API keys before 2026-05-13 14:00 Pacific, when the vendor will invalidate all keys as a precaution - note this will break unattended jobs that have not been re-keyed. See the advisory at https://github.com/guardrails-ai/guardrails/security/advisories/GHSA-xmpw-2vmm-p4p6 for the full step list.

Share

CVE-2026-45758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy