Description
Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. Aany user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026 may be affected. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, Guardrails AI maintainers have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through their systems. Users should upgrade to version 0.10.2 or downgrade to version 0.10.0, both of which are unaffected. Those who installed version 0.10.1 should rotate any credentials accessible from their machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit their GitHub account for unauthorized workflows or repositories.
Published: 2026-06-05
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Guardrails AI, a Python framework for building AI applications, was compromised when an attacker published a malicious version 0.10.1 to the Python Package Index (PyPI) on May 11, 2026. The malicious package contained injected code that would execute whenever a user installed or imported it, enabling arbitrary code execution on the host machine (CWE‑506). If any credential or key is reachable by the process, the attacker could obtain them for further exploitation.

Affected Systems

The vulnerability affects any installation of guardrails‑ai 0.10.1 that was fetched from PyPI during the window around May 11, 2026. Both the 0.10.2 release and the 0.10.0 release predating the compromise contain no malicious code and are unaffected.

Risk and Exploitability

The CVSS base score of 9.6 indicates a critical severity, and although the EPSS score is currently unavailable, the fact that the package was publicly available and automatically distributed to any Python environment means the exploitability is high. The vulnerability is not listed in the CISA KEV catalog yet, but the lack of immediate detection does not reduce the potential impact of an attacker who successfully injects malicious code. The most likely attack vector is via the PyPI repository itself, where users unknowingly install the compromised package.

Generated by OpenCVE AI on June 5, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade guardrails‑ai to version 0.10.2 or downgrade to 0.10.0, both of which are verified to be free of malicious code
  • Rotate all credentials that could have been accessed by the compromised installation, including GitHub personal access tokens, cloud provider keys, registry tokens, and API keys
  • Audit your GitHub account for unauthorized workflows or repositories and remove any suspicious automations

Generated by OpenCVE AI on June 5, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xmpw-2vmm-p4p6 Malicious code in guardrails-ai 0.10.1 (supply chain compromise)
History

Fri, 05 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Guardrailsai
Guardrailsai guardrails
Vendors & Products Guardrailsai
Guardrailsai guardrails

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. Aany user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026 may be affected. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, Guardrails AI maintainers have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through their systems. Users should upgrade to version 0.10.2 or downgrade to version 0.10.0, both of which are unaffected. Those who installed version 0.10.1 should rotate any credentials accessible from their machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit their GitHub account for unauthorized workflows or repositories.
Title Malicious code in guardrails-ai 0.10.1 (supply chain compromise)
Weaknesses CWE-506
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Guardrailsai Guardrails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:35:45.801Z

Reserved: 2026-05-13T06:54:34.222Z

Link: CVE-2026-45758

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T20:17:32.357

Modified: 2026-06-05T20:51:20.400

Link: CVE-2026-45758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:30:04Z

Weaknesses