CVE-2026-45758: Malicious code in guardrails-ai 0.10.1 (supply chain compromise)
Impact
On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI.
Affected: any user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026.
Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems.
For the full timeline, technical details, and remediation steps we have taken, see SECURITYADVISORY.md.
Patches
No patched version above 0.10.1 is available yet. Downgrade to 0.10.0, which is unaffected.
Workarounds
1. Pin to a safe version:
guardrails-ai==0.10.0
2. While the PyPI quarantine is active, install from GitHub:
pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0
The v0.10.0 tag in this repository is clean. Track quarantine status here: #1473.
3. If you installed 0.10.1, treat the host as potentially compromised. Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories.
4. Snowglobe and Guardrails Hub users : all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption.
References
- Full advisory, timeline, and remediation details: SECURITYADVISORY.md
Other sources
Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI. Aany user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026 may be affected. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, Guardrails AI maintainers have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through their systems. Users should upgrade to version 0.10.2 or downgrade to version 0.10.0, both of which are unaffected. Those who installed version 0.10.1 should rotate any credentials accessible from their machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit their GitHub account for unauthorized workflows or repositories.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-45758?
The severity of CVE-2026-45758 is critical with a score of 9.6.
How do I fix CVE-2026-45758?
To fix CVE-2026-45758, uninstall `guardrails-ai==0.10.1` and install a safe version of the package.
What impact does CVE-2026-45758 have on affected users?
CVE-2026-45758 allows attackers to execute arbitrary code on affected systems, leading to potential data compromise.
Which versions of guardrails-ai are affected by CVE-2026-45758?
CVE-2026-45758 affects users who installed `guardrails-ai==0.10.1` from PyPI.
When was CVE-2026-45758 publicly disclosed?
CVE-2026-45758 was publicly disclosed on May 19, 2026.