CVE-2026-45758: guardrails-ai: malicious 0.10.1 enables host compromise

GHSA-xmpw-2vmm-p4p6 CRITICAL
Published May 19, 2026
CISO Take

On May 11, 2026, an adversary published a trojanized guardrails-ai 0.10.1 to PyPI containing embedded malicious code (CWE-506), targeting AI teams that rely on this library to validate LLM inputs and outputs. The CVSS 9.6 score with Scope:Changed reflects the true blast radius: exploitation extends beyond the package itself to the entire host OS and any cloud credentials, GitHub PATs, or API keys accessible from that machine. With 7 tracked downstream dependents and widespread use in CI/CD pipelines where dependency installs are automated and unattended, the 2-hour exposure window was sufficient for silent compromise across many environments. Any host that had 0.10.1 installed — even briefly — must be treated as fully compromised: rotate all credentials immediately, audit GitHub accounts for unauthorized workflows or repository changes, and downgrade to 0.10.0 before restoring production workloads.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.6 with AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H means the adversary needs only a victim to run pip install — no authentication, no complex preconditions. Scope:Changed is the decisive factor: the initial compromise of the Python package escalates to full OS-level control and credential access across cloud infrastructure. The target is an AI security library used specifically to harden LLM applications, meaning affected teams simultaneously lose their guardrails protection while being compromised. No patched release above 0.10.1 exists; remediation requires a downgrade. Risk is elevated for any org running unpinned dependencies in CI/CD or developer environments with access to production cloud accounts.

How does the attack unfold?

Supply Chain Infiltration
Adversary gains PyPI publisher access and uploads guardrails-ai 0.10.1 with embedded malicious code concealed in installation scripts or package init, exploiting trust in the existing legitimate package.
AML.T0109
User Execution
Developer or CI/CD pipeline installs guardrails-ai without a pinned version, silently pulling the malicious 0.10.1 release; automated dependency update jobs are particularly high-risk vectors.
AML.T0011.001
Credential Harvesting
Malicious code executes on the host and scans environment variables for high-value secrets including GitHub PATs, cloud provider credentials, and AI API keys present in AI development environments.
AML.T0055
Exfiltration and Persistence
Harvested credentials are transmitted to an adversary-controlled endpoint; attacker uses stolen tokens to inject backdoors into CI/CD workflows or cloud infrastructure for persistent access.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Guardrails AI pip = 0.10.1 No patch
7.1K 7 dependents Pushed 9d ago 0% patched Full package profile →

Do you use Guardrails AI? You're affected.

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 19% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I High
A High

What should I do?

7 steps
  1. Audit all environments immediately: run pip show guardrails-ai across dev machines, CI runners, and production containers to identify any 0.10.1 installations.

  2. Downgrade to safe version: pip install guardrails-ai==0.10.0 or use the clean Git tag: pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0.

  3. Treat any host that had 0.10.1 as fully compromised: rotate GitHub PATs, cloud provider keys (AWS, GCP, Azure), API keys (OpenAI, Anthropic, Hugging Face), package registry tokens, and Snowglobe/Guardrails Hub API keys.

  4. Audit GitHub accounts for unauthorized OAuth app authorizations, new Actions workflows, repository forks, or SSH key additions.

  5. Pin guardrails-ai==0.10.0 in all lockfiles (requirements.txt, pyproject.toml, pip-compile outputs) and enforce version pinning in CI/CD.

  6. Enable hash verification in pip installs (--require-hashes) and integrate PyPI provenance attestation checks.

  7. Review network egress logs from affected hosts for anomalous outbound connections during the May 11 window.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.10.8 - AI system supply chain security
NIST AI RMF
GOVERN 6.2 - Organizational AI supply chain risk policies
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-45758?

On May 11, 2026, an adversary published a trojanized guardrails-ai 0.10.1 to PyPI containing embedded malicious code (CWE-506), targeting AI teams that rely on this library to validate LLM inputs and outputs. The CVSS 9.6 score with Scope:Changed reflects the true blast radius: exploitation extends beyond the package itself to the entire host OS and any cloud credentials, GitHub PATs, or API keys accessible from that machine. With 7 tracked downstream dependents and widespread use in CI/CD pipelines where dependency installs are automated and unattended, the 2-hour exposure window was sufficient for silent compromise across many environments. Any host that had 0.10.1 installed — even briefly — must be treated as fully compromised: rotate all credentials immediately, audit GitHub accounts for unauthorized workflows or repository changes, and downgrade to 0.10.0 before restoring production workloads.

Is CVE-2026-45758 actively exploited?

No confirmed active exploitation of CVE-2026-45758 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45758?

1. Audit all environments immediately: run `pip show guardrails-ai` across dev machines, CI runners, and production containers to identify any 0.10.1 installations. 2. Downgrade to safe version: `pip install guardrails-ai==0.10.0` or use the clean Git tag: `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0`. 3. Treat any host that had 0.10.1 as fully compromised: rotate GitHub PATs, cloud provider keys (AWS, GCP, Azure), API keys (OpenAI, Anthropic, Hugging Face), package registry tokens, and Snowglobe/Guardrails Hub API keys. 4. Audit GitHub accounts for unauthorized OAuth app authorizations, new Actions workflows, repository forks, or SSH key additions. 5. Pin guardrails-ai==0.10.0 in all lockfiles (requirements.txt, pyproject.toml, pip-compile outputs) and enforce version pinning in CI/CD. 6. Enable hash verification in pip installs (--require-hashes) and integrate PyPI provenance attestation checks. 7. Review network egress logs from affected hosts for anomalous outbound connections during the May 11 window.

What systems are affected by CVE-2026-45758?

This vulnerability affects the following AI/ML architecture patterns: LLM application stacks with input/output validation, AI agent frameworks, CI/CD pipelines for AI projects, Model serving with output filtering, MLOps pipelines.

What is the CVSS score for CVE-2026-45758?

CVE-2026-45758 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.28%.

What is the AI security impact?

Affected AI Architectures

LLM application stacks with input/output validationAI agent frameworksCI/CD pipelines for AI projectsModel serving with output filteringMLOps pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.001 Malicious Package
AML.T0055 Unsecured Credentials
AML.T0074 Masquerading
AML.T0109 AI Supply Chain Rug Pull

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.10.8
NIST AI RMF: GOVERN 6.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

### Impact On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. **Affected:** any user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems. For the full timeline, technical details, and remediation steps we have taken, see [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md). ### Patches No patched version above 0.10.1 is available yet. **Downgrade to `0.10.0`**, which is unaffected. ### Workarounds **1. Pin to a safe version:** `guardrails-ai==0.10.0` **2. While the PyPI quarantine is active, install from GitHub:** `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0` The `v0.10.0` tag in this repository is clean. Track quarantine status here: [#1473](https://github.com/guardrails-ai/guardrails/issues/1473). **3. If you installed 0.10.1, treat the host as potentially compromised.** Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories. **4. Snowglobe and Guardrails Hub users :** all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption. ### References - Full advisory, timeline, and remediation details: [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md)

Exploitation Scenario

An adversary with access to a compromised PyPI maintainer account or stolen publisher token uploads guardrails-ai 0.10.1, embedding malicious code in a post-install hook or __init__.py that executes on package installation or first import. A CI/CD pipeline running nightly dependency updates or a developer running `pip install guardrails-ai` without a pinned version pulls the malicious release from PyPI. On execution, the embedded code scans os.environ for high-value secrets — GITHUB_TOKEN, cloud provider credentials, and AI API keys — and transmits them to an adversary-controlled endpoint over HTTPS to evade network monitoring. The attacker uses the exfiltrated GitHub token to inject a backdoored GitHub Actions workflow into the victim's repository, achieving persistent access to future builds and enabling lateral movement into production cloud infrastructure. Because guardrails-ai is the AI safety layer, the victim's LLM applications simultaneously lose output validation while the attacker establishes persistence.

Weaknesses (CWE)

CWE-506 — Embedded Malicious Code: The product contains code that appears to be malicious in nature.

  • [Implementation, Operation] Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Timeline

Published
May 19, 2026
Last Modified
June 8, 2026
First Seen
May 19, 2026

Related Vulnerabilities