CVE-2026-45758: guardrails-ai: malicious 0.10.1 enables host compromise
GHSA-xmpw-2vmm-p4p6 CRITICALOn May 11, 2026, an adversary published a trojanized guardrails-ai 0.10.1 to PyPI containing embedded malicious code (CWE-506), targeting AI teams that rely on this library to validate LLM inputs and outputs. The CVSS 9.6 score with Scope:Changed reflects the true blast radius: exploitation extends beyond the package itself to the entire host OS and any cloud credentials, GitHub PATs, or API keys accessible from that machine. With 7 tracked downstream dependents and widespread use in CI/CD pipelines where dependency installs are automated and unattended, the 2-hour exposure window was sufficient for silent compromise across many environments. Any host that had 0.10.1 installed — even briefly — must be treated as fully compromised: rotate all credentials immediately, audit GitHub accounts for unauthorized workflows or repository changes, and downgrade to 0.10.0 before restoring production workloads.
What is the risk?
Critical. CVSS 9.6 with AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H means the adversary needs only a victim to run pip install — no authentication, no complex preconditions. Scope:Changed is the decisive factor: the initial compromise of the Python package escalates to full OS-level control and credential access across cloud infrastructure. The target is an AI security library used specifically to harden LLM applications, meaning affected teams simultaneously lose their guardrails protection while being compromised. No patched release above 0.10.1 exists; remediation requires a downgrade. Risk is elevated for any org running unpinned dependencies in CI/CD or developer environments with access to production cloud accounts.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Guardrails AI | pip | = 0.10.1 | No patch |
Do you use Guardrails AI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Audit all environments immediately: run
pip show guardrails-aiacross dev machines, CI runners, and production containers to identify any 0.10.1 installations. -
Downgrade to safe version:
pip install guardrails-ai==0.10.0or use the clean Git tag:pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0. -
Treat any host that had 0.10.1 as fully compromised: rotate GitHub PATs, cloud provider keys (AWS, GCP, Azure), API keys (OpenAI, Anthropic, Hugging Face), package registry tokens, and Snowglobe/Guardrails Hub API keys.
-
Audit GitHub accounts for unauthorized OAuth app authorizations, new Actions workflows, repository forks, or SSH key additions.
-
Pin guardrails-ai==0.10.0 in all lockfiles (requirements.txt, pyproject.toml, pip-compile outputs) and enforce version pinning in CI/CD.
-
Enable hash verification in pip installs (--require-hashes) and integrate PyPI provenance attestation checks.
-
Review network egress logs from affected hosts for anomalous outbound connections during the May 11 window.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45758?
On May 11, 2026, an adversary published a trojanized guardrails-ai 0.10.1 to PyPI containing embedded malicious code (CWE-506), targeting AI teams that rely on this library to validate LLM inputs and outputs. The CVSS 9.6 score with Scope:Changed reflects the true blast radius: exploitation extends beyond the package itself to the entire host OS and any cloud credentials, GitHub PATs, or API keys accessible from that machine. With 7 tracked downstream dependents and widespread use in CI/CD pipelines where dependency installs are automated and unattended, the 2-hour exposure window was sufficient for silent compromise across many environments. Any host that had 0.10.1 installed — even briefly — must be treated as fully compromised: rotate all credentials immediately, audit GitHub accounts for unauthorized workflows or repository changes, and downgrade to 0.10.0 before restoring production workloads.
Is CVE-2026-45758 actively exploited?
No confirmed active exploitation of CVE-2026-45758 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45758?
1. Audit all environments immediately: run `pip show guardrails-ai` across dev machines, CI runners, and production containers to identify any 0.10.1 installations. 2. Downgrade to safe version: `pip install guardrails-ai==0.10.0` or use the clean Git tag: `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0`. 3. Treat any host that had 0.10.1 as fully compromised: rotate GitHub PATs, cloud provider keys (AWS, GCP, Azure), API keys (OpenAI, Anthropic, Hugging Face), package registry tokens, and Snowglobe/Guardrails Hub API keys. 4. Audit GitHub accounts for unauthorized OAuth app authorizations, new Actions workflows, repository forks, or SSH key additions. 5. Pin guardrails-ai==0.10.0 in all lockfiles (requirements.txt, pyproject.toml, pip-compile outputs) and enforce version pinning in CI/CD. 6. Enable hash verification in pip installs (--require-hashes) and integrate PyPI provenance attestation checks. 7. Review network egress logs from affected hosts for anomalous outbound connections during the May 11 window.
What systems are affected by CVE-2026-45758?
This vulnerability affects the following AI/ML architecture patterns: LLM application stacks with input/output validation, AI agent frameworks, CI/CD pipelines for AI projects, Model serving with output filtering, MLOps pipelines.
What is the CVSS score for CVE-2026-45758?
CVE-2026-45758 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.28%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.001 Malicious Package AML.T0055 Unsecured Credentials AML.T0074 Masquerading AML.T0109 AI Supply Chain Rug Pull Compliance Controls Affected
What are the technical details?
Original Advisory
### Impact On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. **Affected:** any user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems. For the full timeline, technical details, and remediation steps we have taken, see [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md). ### Patches No patched version above 0.10.1 is available yet. **Downgrade to `0.10.0`**, which is unaffected. ### Workarounds **1. Pin to a safe version:** `guardrails-ai==0.10.0` **2. While the PyPI quarantine is active, install from GitHub:** `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0` The `v0.10.0` tag in this repository is clean. Track quarantine status here: [#1473](https://github.com/guardrails-ai/guardrails/issues/1473). **3. If you installed 0.10.1, treat the host as potentially compromised.** Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories. **4. Snowglobe and Guardrails Hub users :** all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption. ### References - Full advisory, timeline, and remediation details: [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md)
Exploitation Scenario
An adversary with access to a compromised PyPI maintainer account or stolen publisher token uploads guardrails-ai 0.10.1, embedding malicious code in a post-install hook or __init__.py that executes on package installation or first import. A CI/CD pipeline running nightly dependency updates or a developer running `pip install guardrails-ai` without a pinned version pulls the malicious release from PyPI. On execution, the embedded code scans os.environ for high-value secrets — GITHUB_TOKEN, cloud provider credentials, and AI API keys — and transmits them to an adversary-controlled endpoint over HTTPS to evade network monitoring. The attacker uses the exfiltrated GitHub token to inject a backdoored GitHub Actions workflow into the victim's repository, achieving persistent access to future builds and enabling lateral movement into production cloud infrastructure. Because guardrails-ai is the AI safety layer, the victim's LLM applications simultaneously lose output validation while the attacker establishes persistence.
Weaknesses (CWE)
CWE-506 — Embedded Malicious Code: The product contains code that appears to be malicious in nature.
- [Implementation, Operation] Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-31233 9.8 guardrails-ai: RCE via malicious Hub package manifest
Same package: guardrails-ai CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain