Guardrails AI through 0.6.7 executes a post-install script specified in the Hub manifest without any sanitization or validation, giving any attacker who can publish a malicious package to the Hub full remote code execution on every developer machine and CI/CD pipeline that installs it. This is particularly damaging because Guardrails AI sits inside the AI safety layer of LLM stacks — compromising it does not just own a build box, it silently undermines the guardrail protecting your models from prompt injection and unsafe outputs. With a CVSS of 9.8, zero authentication required, no public exploit yet (EPSS top 41%), and no patch available at time of publication, the entire range of affected versions remains exposed. Audit all recent guardrails hub install invocations and their downloaded manifests for suspicious post_install entries, pin to internally reviewed validator packages only, and block automated Hub access in CI/CD until a patched release is confirmed.
What is the risk?
Critical. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects a worst-case network-accessible supply chain vector requiring no privileges and no user interaction beyond a routine install command. The absence of a patch at disclosure compounds the risk. While EPSS (0.00378, top 41%) indicates exploitation is not yet widespread, the simplicity of the attack — publish a package, wait for installs — lowers the bar for opportunistic threat actors. Guardrails AI's role as an AI safety enforcement layer makes the blast radius asymmetric: a compromised guardrail is invisible to defenders while actively neutralizing a key AI risk control.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Guardrails AI | pip | <= 0.6.7 | No patch |
Do you use Guardrails AI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Immediate: Audit all
guardrails hub installinvocations in dev, CI/CD, and production build environments for the past 90 days. -
Inspect installed validator manifests (typically cached locally post-install) for suspicious or unexpected post_install script paths.
-
Restrict outbound access to the Guardrails Hub from automated build pipelines until a patched version is available.
-
Pin to a known-good set of internally reviewed validator packages and block installation of new Hub packages until the vulnerability is resolved.
-
Monitor process execution logs for unexpected child processes spawned by the guardrails CLI during install.
-
Track the upstream GitHub repository (guardrails-ai/guardrails) and the GHSA-r6hf-g5x6-7pv9 advisory for patch release announcements.
-
If compromise is suspected, treat the affected host as fully compromised — rotate all credentials accessible from that environment.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-31233?
Guardrails AI through 0.6.7 executes a post-install script specified in the Hub manifest without any sanitization or validation, giving any attacker who can publish a malicious package to the Hub full remote code execution on every developer machine and CI/CD pipeline that installs it. This is particularly damaging because Guardrails AI sits inside the AI safety layer of LLM stacks — compromising it does not just own a build box, it silently undermines the guardrail protecting your models from prompt injection and unsafe outputs. With a CVSS of 9.8, zero authentication required, no public exploit yet (EPSS top 41%), and no patch available at time of publication, the entire range of affected versions remains exposed. Audit all recent guardrails hub install invocations and their downloaded manifests for suspicious post_install entries, pin to internally reviewed validator packages only, and block automated Hub access in CI/CD until a patched release is confirmed.
Is CVE-2026-31233 actively exploited?
No confirmed active exploitation of CVE-2026-31233 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-31233?
1. Immediate: Audit all `guardrails hub install` invocations in dev, CI/CD, and production build environments for the past 90 days. 2. Inspect installed validator manifests (typically cached locally post-install) for suspicious or unexpected post_install script paths. 3. Restrict outbound access to the Guardrails Hub from automated build pipelines until a patched version is available. 4. Pin to a known-good set of internally reviewed validator packages and block installation of new Hub packages until the vulnerability is resolved. 5. Monitor process execution logs for unexpected child processes spawned by the guardrails CLI during install. 6. Track the upstream GitHub repository (guardrails-ai/guardrails) and the GHSA-r6hf-g5x6-7pv9 advisory for patch release announcements. 7. If compromise is suspected, treat the affected host as fully compromised — rotate all credentials accessible from that environment.
What systems are affected by CVE-2026-31233?
This vulnerability affects the following AI/ML architecture patterns: LLM safety and validation pipelines, Agent frameworks with guardrails integration, CI/CD pipelines with AI tooling, LLM application development environments, MLOps build and packaging pipelines.
What is the CVSS score for CVE-2026-31233?
CVE-2026-31233 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.64%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.001 Malicious Package AML.T0021 Establish Accounts AML.T0050 Command and Scripting Interpreter AML.T0079 Stage Capabilities Compliance Controls Affected
What are the technical details?
Original Advisory
Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.
Exploitation Scenario
An attacker creates a legitimate-looking validator package (e.g., a plausible PII detection or prompt injection detector) and publishes it to the Guardrails Hub with a crafted manifest containing a malicious post_install script path pointing to attacker-controlled content. A developer or automated pipeline runs `guardrails hub install <attacker-package>` — a routine operation for extending guardrail coverage. The Hub client fetches the manifest, constructs the script path from the untrusted manifest data, and executes it without validation, achieving arbitrary code execution. The attacker payload deploys a reverse shell, exfiltrates AWS/GCP/Azure credentials from environment variables, and installs a backdoored version of the guardrails validator that silently bypasses safety checks while reporting normal operation to the application layer.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-45758 9.6 guardrails-ai: malicious 0.10.1 enables host compromise
Same package: guardrails-ai CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain