CVE-2026-45758 — CRITICAL (CVSS 9.6)

CISO Take

On May 11, 2026, an adversary published a trojanized guardrails-ai 0.10.1 to PyPI containing embedded malicious code (CWE-506), targeting AI teams that rely on this library to validate LLM inputs and outputs. The CVSS 9.6 score with Scope:Changed reflects the true blast radius: exploitation extends beyond the package itself to the entire host OS and any cloud credentials, GitHub PATs, or API keys accessible from that machine. With 7 tracked downstream dependents and widespread use in CI/CD pipelines where dependency installs are automated and unattended, the 2-hour exposure window was sufficient for silent compromise across many environments. Any host that had 0.10.1 installed — even briefly — must be treated as fully compromised: rotate all credentials immediately, audit GitHub accounts for unauthorized workflows or repository changes, and downgrade to 0.10.0 before restoring production workloads.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.6 with AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H means the adversary needs only a victim to run pip install — no authentication, no complex preconditions. Scope:Changed is the decisive factor: the initial compromise of the Python package escalates to full OS-level control and credential access across cloud infrastructure. The target is an AI security library used specifically to harden LLM applications, meaning affected teams simultaneously lose their guardrails protection while being compromised. No patched release above 0.10.1 exists; remediation requires a downgrade. Risk is elevated for any org running unpinned dependencies in CI/CD or developer environments with access to production cloud accounts.

Attack Kill Chain

Supply Chain Infiltration

Adversary gains PyPI publisher access and uploads guardrails-ai 0.10.1 with embedded malicious code concealed in installation scripts or package init, exploiting trust in the existing legitimate package.

AML.T0109

User Execution

Developer or CI/CD pipeline installs guardrails-ai without a pinned version, silently pulling the malicious 0.10.1 release; automated dependency update jobs are particularly high-risk vectors.

AML.T0011.001

Credential Harvesting

Malicious code executes on the host and scans environment variables for high-value secrets including GitHub PATs, cloud provider credentials, and AI API keys present in AI development environments.

AML.T0055

Exfiltration and Persistence

Harvested credentials are transmitted to an adversary-controlled endpoint; attacker uses stolen tokens to inject backdoors into CI/CD workflows or cloud infrastructure for persistent access.

AML.T0025

Supply Chain Infiltration

Adversary gains PyPI publisher access and uploads guardrails-ai 0.10.1 with embedded malicious code concealed in installation scripts or package init, exploiting trust in the existing legitimate package.

AML.T0109

User Execution

Developer or CI/CD pipeline installs guardrails-ai without a pinned version, silently pulling the malicious 0.10.1 release; automated dependency update jobs are particularly high-risk vectors.

AML.T0011.001

Credential Harvesting

Malicious code executes on the host and scans environment variables for high-value secrets including GitHub PATs, cloud provider credentials, and AI API keys present in AI development environments.

AML.T0055

Exfiltration and Persistence

Harvested credentials are transmitted to an adversary-controlled endpoint; attacker uses stolen tokens to inject backdoors into CI/CD workflows or cloud infrastructure for persistent access.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
guardrails-ai	pip	= 0.10.1	No patch
6.9K 7 dependents Pushed 6d ago 0% patched Full package profile →

Do you use guardrails-ai? You're affected.

Severity & Risk

CVSS 3.1

9.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

What should I do?

7 steps

Audit all environments immediately: run pip show guardrails-ai across dev machines, CI runners, and production containers to identify any 0.10.1 installations.
Downgrade to safe version: pip install guardrails-ai==0.10.0 or use the clean Git tag: pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0.
Treat any host that had 0.10.1 as fully compromised: rotate GitHub PATs, cloud provider keys (AWS, GCP, Azure), API keys (OpenAI, Anthropic, Hugging Face), package registry tokens, and Snowglobe/Guardrails Hub API keys.
Audit GitHub accounts for unauthorized OAuth app authorizations, new Actions workflows, repository forks, or SSH key additions.
Pin guardrails-ai==0.10.0 in all lockfiles (requirements.txt, pyproject.toml, pip-compile outputs) and enforce version pinning in CI/CD.
Enable hash verification in pip installs (--require-hashes) and integrate PyPI provenance attestation checks.
Review network egress logs from affected hosts for anomalous outbound connections during the May 11 window.

Classification

Supply Chain Code Execution Framework Agent AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0055 - Unsecured Credentials AML.T0074 - Masquerading AML.T0109 - AI Supply Chain Rug Pull

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.10.8 - AI system supply chain security

NIST AI RMF

GOVERN 6.2 - Organizational AI supply chain risk policies

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-45758?

On May 11, 2026, an adversary published a trojanized guardrails-ai 0.10.1 to PyPI containing embedded malicious code (CWE-506), targeting AI teams that rely on this library to validate LLM inputs and outputs. The CVSS 9.6 score with Scope:Changed reflects the true blast radius: exploitation extends beyond the package itself to the entire host OS and any cloud credentials, GitHub PATs, or API keys accessible from that machine. With 7 tracked downstream dependents and widespread use in CI/CD pipelines where dependency installs are automated and unattended, the 2-hour exposure window was sufficient for silent compromise across many environments. Any host that had 0.10.1 installed — even briefly — must be treated as fully compromised: rotate all credentials immediately, audit GitHub accounts for unauthorized workflows or repository changes, and downgrade to 0.10.0 before restoring production workloads.

Is CVE-2026-45758 actively exploited?

No confirmed active exploitation of CVE-2026-45758 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45758?

1. Audit all environments immediately: run `pip show guardrails-ai` across dev machines, CI runners, and production containers to identify any 0.10.1 installations. 2. Downgrade to safe version: `pip install guardrails-ai==0.10.0` or use the clean Git tag: `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0`. 3. Treat any host that had 0.10.1 as fully compromised: rotate GitHub PATs, cloud provider keys (AWS, GCP, Azure), API keys (OpenAI, Anthropic, Hugging Face), package registry tokens, and Snowglobe/Guardrails Hub API keys. 4. Audit GitHub accounts for unauthorized OAuth app authorizations, new Actions workflows, repository forks, or SSH key additions. 5. Pin guardrails-ai==0.10.0 in all lockfiles (requirements.txt, pyproject.toml, pip-compile outputs) and enforce version pinning in CI/CD. 6. Enable hash verification in pip installs (--require-hashes) and integrate PyPI provenance attestation checks. 7. Review network egress logs from affected hosts for anomalous outbound connections during the May 11 window.

What systems are affected by CVE-2026-45758?

This vulnerability affects the following AI/ML architecture patterns: LLM application stacks with input/output validation, AI agent frameworks, CI/CD pipelines for AI projects, Model serving with output filtering, MLOps pipelines.

What is the CVSS score for CVE-2026-45758?

CVE-2026-45758 has a CVSS v3.1 base score of 9.6 (CRITICAL).

Technical Details

NVD Description

### Impact On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. **Affected:** any user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems. For the full timeline, technical details, and remediation steps we have taken, see [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md). ### Patches No patched version above 0.10.1 is available yet. **Downgrade to `0.10.0`**, which is unaffected. ### Workarounds **1. Pin to a safe version:** `guardrails-ai==0.10.0` **2. While the PyPI quarantine is active, install from GitHub:** `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0` The `v0.10.0` tag in this repository is clean. Track quarantine status here: [#1473](https://github.com/guardrails-ai/guardrails/issues/1473). **3. If you installed 0.10.1, treat the host as potentially compromised.** Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories. **4. Snowglobe and Guardrails Hub users :** all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption. ### References - Full advisory, timeline, and remediation details: [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md)

Exploitation Scenario

An adversary with access to a compromised PyPI maintainer account or stolen publisher token uploads guardrails-ai 0.10.1, embedding malicious code in a post-install hook or __init__.py that executes on package installation or first import. A CI/CD pipeline running nightly dependency updates or a developer running `pip install guardrails-ai` without a pinned version pulls the malicious release from PyPI. On execution, the embedded code scans os.environ for high-value secrets — GITHUB_TOKEN, cloud provider credentials, and AI API keys — and transmits them to an adversary-controlled endpoint over HTTPS to evade network monitoring. The attacker uses the exfiltrated GitHub token to inject a backdoored GitHub Actions workflow into the victim's repository, achieving persistent access to future builds and enabling lateral movement into production cloud infrastructure. Because guardrails-ai is the AI safety layer, the victim's LLM applications simultaneously lose output validation while the attacker establishes persistence.