AI Threat Alert

CVE-2026-31233: guardrails-ai: RCE via malicious Hub package manifest

GHSA-r6hf-g5x6-7pv9 CRITICAL
Published May 12, 2026
CISO Take

Guardrails AI through 0.6.7 executes a post-install script specified in the Hub manifest without any sanitization or validation, giving any attacker who can publish a malicious package to the Hub full remote code execution on every developer machine and CI/CD pipeline that installs it. This is particularly damaging because Guardrails AI sits inside the AI safety layer of LLM stacks — compromising it does not just own a build box, it silently undermines the guardrail protecting your models from prompt injection and unsafe outputs. With a CVSS of 9.8, zero authentication required, no public exploit yet (EPSS top 41%), and no patch available at time of publication, the entire range of affected versions remains exposed. Audit all recent guardrails hub install invocations and their downloaded manifests for suspicious post_install entries, pin to internally reviewed validator packages only, and block automated Hub access in CI/CD until a patched release is confirmed.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects a worst-case network-accessible supply chain vector requiring no privileges and no user interaction beyond a routine install command. The absence of a patch at disclosure compounds the risk. While EPSS (0.00378, top 41%) indicates exploitation is not yet widespread, the simplicity of the attack — publish a package, wait for installs — lowers the bar for opportunistic threat actors. Guardrails AI's role as an AI safety enforcement layer makes the blast radius asymmetric: a compromised guardrail is invisible to defenders while actively neutralizing a key AI risk control.

Attack Kill Chain

Hub Account Setup
Attacker establishes a Guardrails Hub account and publishes a convincingly named validator package with a crafted manifest containing a malicious post_install script path.
AML.T0021
Malicious Package Staging
The attacker-controlled post_install payload is staged on reachable infrastructure and the malicious manifest is live on the Hub, ready to be fetched by any installing client.
AML.T0011.001
Supply Chain Delivery
Victim developer or CI/CD pipeline runs `guardrails hub install <package>`, fetching the attacker manifest; the client constructs the script path from untrusted manifest data without sanitization.
AML.T0010.001
Arbitrary Code Execution
The unvalidated post_install script executes in the victim's context, achieving full system compromise — credential exfiltration, persistence in the AI pipeline, and silent bypass of guardrail safety controls.
AML.T0050

What systems are affected?

Package Ecosystem Vulnerable Range Patched
guardrails-ai pip <= 0.6.7 No patch
6.9K 7 dependents Pushed 8d ago 0% patched Full package profile →

Do you use guardrails-ai? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 59% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. Immediate: Audit all guardrails hub install invocations in dev, CI/CD, and production build environments for the past 90 days.

  2. Inspect installed validator manifests (typically cached locally post-install) for suspicious or unexpected post_install script paths.

  3. Restrict outbound access to the Guardrails Hub from automated build pipelines until a patched version is available.

  4. Pin to a known-good set of internally reviewed validator packages and block installation of new Hub packages until the vulnerability is resolved.

  5. Monitor process execution logs for unexpected child processes spawned by the guardrails CLI during install.

  6. Track the upstream GitHub repository (guardrails-ai/guardrails) and the GHSA-r6hf-g5x6-7pv9 advisory for patch release announcements.

  7. If compromise is suspected, treat the affected host as fully compromised — rotate all credentials accessible from that environment.

Classification

Supply Chain Code Execution Framework Plugin AML.T0010.001 AML.T0011.001 AML.T0021 AML.T0050 AML.T0079

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
8.4 - AI system lifecycle — supply chain
NIST AI RMF
GOVERN 6.1 - AI Supply Chain Risk Management
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-31233?

Guardrails AI through 0.6.7 executes a post-install script specified in the Hub manifest without any sanitization or validation, giving any attacker who can publish a malicious package to the Hub full remote code execution on every developer machine and CI/CD pipeline that installs it. This is particularly damaging because Guardrails AI sits inside the AI safety layer of LLM stacks — compromising it does not just own a build box, it silently undermines the guardrail protecting your models from prompt injection and unsafe outputs. With a CVSS of 9.8, zero authentication required, no public exploit yet (EPSS top 41%), and no patch available at time of publication, the entire range of affected versions remains exposed. Audit all recent guardrails hub install invocations and their downloaded manifests for suspicious post_install entries, pin to internally reviewed validator packages only, and block automated Hub access in CI/CD until a patched release is confirmed.

Is CVE-2026-31233 actively exploited?

No confirmed active exploitation of CVE-2026-31233 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31233?

1. Immediate: Audit all `guardrails hub install` invocations in dev, CI/CD, and production build environments for the past 90 days. 2. Inspect installed validator manifests (typically cached locally post-install) for suspicious or unexpected post_install script paths. 3. Restrict outbound access to the Guardrails Hub from automated build pipelines until a patched version is available. 4. Pin to a known-good set of internally reviewed validator packages and block installation of new Hub packages until the vulnerability is resolved. 5. Monitor process execution logs for unexpected child processes spawned by the guardrails CLI during install. 6. Track the upstream GitHub repository (guardrails-ai/guardrails) and the GHSA-r6hf-g5x6-7pv9 advisory for patch release announcements. 7. If compromise is suspected, treat the affected host as fully compromised — rotate all credentials accessible from that environment.

What systems are affected by CVE-2026-31233?

This vulnerability affects the following AI/ML architecture patterns: LLM safety and validation pipelines, Agent frameworks with guardrails integration, CI/CD pipelines with AI tooling, LLM application development environments, MLOps build and packaging pipelines.

What is the CVSS score for CVE-2026-31233?

CVE-2026-31233 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.38%.

AI Security Impact

Affected AI Architectures

LLM safety and validation pipelinesAgent frameworks with guardrails integrationCI/CD pipelines with AI toolingLLM application development environmentsMLOps build and packaging pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.001 Malicious Package
AML.T0021 Establish Accounts
AML.T0050 Command and Scripting Interpreter
AML.T0079 Stage Capabilities

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: 8.4
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM05:2025

Technical Details

Original Advisory

Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.

Exploitation Scenario

An attacker creates a legitimate-looking validator package (e.g., a plausible PII detection or prompt injection detector) and publishes it to the Guardrails Hub with a crafted manifest containing a malicious post_install script path pointing to attacker-controlled content. A developer or automated pipeline runs `guardrails hub install <attacker-package>` — a routine operation for extending guardrail coverage. The Hub client fetches the manifest, constructs the script path from the untrusted manifest data, and executes it without validation, achieving arbitrary code execution. The attacker payload deploys a reverse shell, exfiltrates AWS/GCP/Azure credentials from environment variables, and installs a backdoored version of the guardrails validator that silently bypasses safety checks while reporting normal operation to the application layer.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 12, 2026
Last Modified
May 27, 2026
First Seen
May 28, 2026

Related Vulnerabilities

CRITICAL CVE-2026-45758 9.6

guardrails-ai: malicious 0.10.1 enables host compromise

Same package: guardrails-ai
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
Back to Threat Feed