GHSA-XMPW-2VMM-P4P6
Vulnerability from github – Published: 2026-05-19 15:40 – Updated: 2026-06-09 13:13Impact
On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI.
Affected: any user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026.
Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems.
For the full timeline, technical details, and remediation steps we have taken, see SECURITY_ADVISORY.md.
Patches
No patched version above 0.10.1 is available yet. Downgrade to 0.10.0, which is unaffected.
Workarounds
1. Pin to a safe version:
guardrails-ai==0.10.0
2. While the PyPI quarantine is active, install from GitHub:
pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0
The v0.10.0 tag in this repository is clean. Track quarantine status here: #1473.
3. If you installed 0.10.1, treat the host as potentially compromised. Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories.
4. Snowglobe and Guardrails Hub users : all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption.
References
- Full advisory, timeline, and remediation details: SECURITY_ADVISORY.md
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "guardrails-ai"
},
"versions": [
"0.10.1"
]
}
],
"aliases": [
"CVE-2026-45758"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T15:40:44Z",
"nvd_published_at": "2026-06-05T20:17:32Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nOn May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI.\n\n**Affected:** any user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026.\n\nSecurity researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems.\n\nFor the full timeline, technical details, and remediation steps we have taken, see [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md).\n\n### Patches\n\nNo patched version above 0.10.1 is available yet. **Downgrade to `0.10.0`**, which is unaffected.\n\n### Workarounds\n\n**1. Pin to a safe version:**\n\n`guardrails-ai==0.10.0`\n\n**2. While the PyPI quarantine is active, install from GitHub:**\n\n`pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0`\n\nThe `v0.10.0` tag in this repository is clean. Track quarantine status here: [#1473](https://github.com/guardrails-ai/guardrails/issues/1473).\n\n**3. If you installed 0.10.1, treat the host as potentially compromised.** Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories.\n\n**4. Snowglobe and Guardrails Hub users :** all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption.\n\n### References\n\n- Full advisory, timeline, and remediation details: [SECURITY_ADVISORY.md](https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md)",
"id": "GHSA-xmpw-2vmm-p4p6",
"modified": "2026-06-09T13:13:18Z",
"published": "2026-05-19T15:40:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/guardrails-ai/guardrails/security/advisories/GHSA-xmpw-2vmm-p4p6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45758"
},
{
"type": "WEB",
"url": "https://github.com/guardrails-ai/guardrails/issues/1473"
},
{
"type": "PACKAGE",
"url": "https://github.com/guardrails-ai/guardrails"
},
{
"type": "WEB",
"url": "https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/guardrails-ai/PYSEC-2026-206.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious code in guardrails-ai 0.10.1 (supply chain compromise)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.