CVE-2026-45758 Overview
CVE-2026-45758 documents a supply chain attack against the guardrails-ai Python package on PyPI. An attacker published a malicious version 0.10.1 to the Python Package Index on May 11, 2026 at approximately 6:00 PM Pacific. Security researchers identified the malicious release within roughly two hours, and PyPI quarantined the repository. The vulnerability is classified under [CWE-506] Embedded Malicious Code. Guardrails AI maintainers report no telemetry indicating callbacks to their infrastructure from the malicious build. Users who installed guardrails-ai==0.10.1 must rotate credentials and audit their environments.
Critical Impact
Any developer or build pipeline that installed guardrails-ai==0.10.1 from PyPI on May 11, 2026 may have exposed local credentials, API keys, and source repositories to the attacker.
Affected Products
- Guardrails AI guardrails-ai version 0.10.1 distributed via PyPI
- Python build environments and CI/CD pipelines that pulled 0.10.1
- Developer workstations with cached credentials reachable by the installed package
Discovery Timeline
- 2026-05-11 - Malicious guardrails-ai==0.10.1 published to PyPI at approximately 6:00 PM Pacific
- 2026-05-11 - PyPI quarantined the package within roughly two hours of publication
- 2026-06-05 - CVE-2026-45758 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-45758
Vulnerability Analysis
The guardrails-ai project is a Python framework used to build guardrails around large language model applications. An attacker uploaded a counterfeit 0.10.1 release containing embedded malicious code to PyPI. Any pip install guardrails-ai or unpinned dependency resolution executed during the exposure window selected the trojanized artifact. Because PyPI executes setup.py and package import code during installation and use, the malicious payload ran in the context of the installing user. The attack vector requires user interaction in the form of a package install, but it does not require authentication to the victim system. Versions 0.10.0 and 0.10.2 are unaffected.
Root Cause
The root cause is the distribution of a malicious package version through PyPI under the trusted guardrails-ai project name, classified as [CWE-506] Embedded Malicious Code. The Python packaging ecosystem trusts published releases by default, allowing a single malicious upload to reach every downstream consumer that resolves to that version. Version pinning alone does not protect users who happen to upgrade during the exposure window.
Attack Vector
The attacker relied on developers and automated build systems pulling the latest guardrails-ai release from PyPI. Once installed, the package code executes inside the developer's shell environment with access to local secrets. Credentials at risk include GitHub Personal Access Tokens (PATs), cloud provider keys, package registry tokens, and API keys reachable from the affected machine. Stolen GitHub tokens can be used to plant unauthorized workflows or backdoor repositories. No verified proof-of-concept code is published; refer to the GitHub Security Advisory GHSA-xmpw-2vmm-p4p6 for vendor analysis.
Detection Methods for CVE-2026-45758
Indicators of Compromise
- Presence of guardrails-ai version 0.10.1 in pip freeze, requirements.txt, lock files, or container image manifests built on May 11, 2026
- Outbound network connections from Python build hosts to attacker-controlled domains shortly after pip install guardrails-ai
- Unexpected GitHub workflow files, new SSH keys, or new repositories created using developer PATs after May 11, 2026
Detection Strategies
- Query software bill of materials (SBOM) and package inventories for guardrails-ai==0.10.1 across developer machines, CI runners, and container images
- Review PyPI install logs and CI job histories for installs of guardrails-ai between May 11 and May 12, 2026
- Correlate GitHub audit logs and cloud provider audit trails for token use from unfamiliar IP addresses following the exposure window
Monitoring Recommendations
- Alert on any new install or pull of guardrails-ai==0.10.1 from internal mirrors or proxy caches
- Monitor for anomalous use of developer credentials, including PAT-based pushes from unknown IPs and out-of-hours API calls
- Track creation of new GitHub Actions workflows referencing external secrets in repositories owned by affected developers
How to Mitigate CVE-2026-45758
Immediate Actions Required
- Upgrade guardrails-ai to version 0.10.2, or downgrade to 0.10.0; both are unaffected
- Rotate all credentials accessible from any machine that installed 0.10.1, including GitHub PATs, cloud keys, package registry tokens, and API keys
- Audit GitHub accounts and organizations for unauthorized workflows, repositories, deploy keys, and OAuth grants
- Rebuild any container images or artifacts produced from guardrails-ai==0.10.1 after pinning to a safe version
Patch Information
The Guardrails AI maintainers published version 0.10.2 to PyPI as the fixed release. Version 0.10.0 is also unaffected and may be used as a temporary downgrade. See the Guardrails AI Security Advisory and GitHub Issue #1473 for vendor guidance.
Workarounds
- Pin guardrails-ai to 0.10.0 or 0.10.2 in requirements.txt, pyproject.toml, and lock files
- Configure internal PyPI proxies to block guardrails-ai==0.10.1 and require hash-pinned installs
- Restrict outbound network access from CI build runners to limit data exfiltration during package installs
# Pin to a safe version and verify
pip install 'guardrails-ai==0.10.2'
pip show guardrails-ai | grep -i version
# Block the malicious version in pip-tools or pip configuration
echo 'guardrails-ai==0.10.2' >> constraints.txt
pip install -c constraints.txt -r requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
