CVE-2026-31233 - Vulnerability Details

Description

Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.

Published: 2026-05-12

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Guardrails AI versions up to and including 0.6.7 allow an attacker who can publish a package to the Hub to inject arbitrary code during the installation of that package. The vulnerability arises in the Hub package installation mechanism where manifest data is used to construct a script path that is then executed without validation or sanitization. This flaw is classified as CWE-94, enabling remote execution of malicious code by any system that installs the compromised package.

Affected Systems

The vulnerability affects Guardrails AI’s Hub installation process for package versions 0.6.7 and earlier, with no specific version sublist provided. Any environment that uses guardrails AI to install packages from the Hub is potentially impacted.

Risk and Exploitability

The CVSS score is not supplied, but the impact is severe because it permits execution of arbitrary code on the target system. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker who can publish or push a malicious package to the Hub; once a user installs that package, the crafted post_install script runs with no restrictions. The overall risk is high, with the potential for complete compromise of the affected machine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Guardrailsai

Guardrails

80%

Version	Status	Scheme	Platform
`[0,0.6.7]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Guardrails AI version that includes a fix for the dynamic script execution flaw, if one is released by the vendor.
Limit Hub package installations to trusted, manually verified packages and audit the manifest data before execution to prevent untrusted scripts from running.
If a patch is not yet available, disable the post_install execution mechanism or remove the post_install entry from the manifest until a fix is applied.
Keep monitoring the Hub for unauthorized or unexpected package submissions and revoke or remove any suspicious packages promptly.

Generated by OpenCVE AI on May 12, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/guardrails-ai/guardrails
https://www.notion.so/CVE-2026-31233-35d1e13931888142a954fb3f50ee0c94

History

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Guardrailsai Guardrailsai guardrails
Vendors & Products		Guardrailsai Guardrailsai guardrails

Tue, 12 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Injection in Guardrails AI Hub Package Installation
Weaknesses		CWE-94

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.
References		https://github.com/guardrails-ai/guardrails https://www.notion.so/CVE-2026-31233-35d1e13931888142a954fb3f50ee0c94

Subscriptions

Guardrailsai Guardrails

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-12T00:00:00.000Z

Updated: 2026-05-12T17:09:01.062Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31233

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T18:16:51.627

Modified: 2026-05-12T18:16:51.627

Link: CVE-2026-31233

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T20:00:12Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object