How is CVE-2026-45758 exploited?

Network reachability (required): The malicious payload communicates outbound over the network; the compromised environment must have egress connectivity for the attacker to receive exfiltrated data or issue commands. Authentication (not-required): No authentication is required; any process that imports the compromised package triggers the malicious code without needing credentials. Victim interaction (required): A developer or automated pipeline must actively install or import guardrails-ai==0.10.1, making the install or build step the social-engineering or CI/CD pipeline vector. Attack complexity (info): Exploit conditions are straightforward and reliable once the malicious package is present; no race condition or special memory layout is needed.

What is the impact of CVE-2026-45758?

Reads secrets accessible from the build or runtime environment, including GitHub personal access tokens, cloud provider credential files, package registry tokens, and API keys stored in environment variables or config files. Modifies the environment by potentially writing unauthorized GitHub Actions workflows or creating rogue repositories under the victim's GitHub account. Exfiltrates captured credentials to attacker-controlled infrastructure over outbound network connections. Disrupts downstream CI/CD pipelines and deployed services if rotated credentials are embedded in running workloads before the compromise is discovered.

Back to search

CRITICALCVE-2026-45758Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-45758: Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. Aany user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026 may be affected. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, Guardrails AI maintainers have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through their systems. Users should upgrade to version 0.10.2 or downgrade to version 0.10.0, both of which are unaffected. Those who installed version 0.10.1 should rotate any credentials accessible from their machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit their GitHub account for unauthorized workflows or repositories.

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a supply chain compromise affecting guardrails-ai version 0.10.1, a Python framework for building AI applications. An attacker published a malicious package to PyPI on May 11, 2026; any container image that installed guardrails-ai==0.10.1 during that window may carry the backdoor. The malicious code runs in the context of the installing environment and, if triggered, gives the attacker full read access to secrets, the ability to modify files and environment state, and the ability to disrupt running processes. No fix version has been published by the upstream maintainers; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a clean release is confirmed.

HarborGuard Coverage

Detection

Detection of CVE-2026-45758 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (GitHub Advisory Database, PyPI advisory feeds, OSV) within minutes of publication and matched against all customer images, including custom-built images that bundle Python dependencies. Any image whose dependency manifest resolves guardrails-ai==0.10.1 is flagged automatically, regardless of whether the package was installed directly or pulled in transitively.

Available

Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are surfaced to the inbox or ticketing integration configured for each customer org, so the right team sees the alert without manual filtering.

Available

Patch

Because no fix version has been published upstream, a patched-image rebuild is not yet available. HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a rebuild available the moment upstream confirms a clean release (the maintainers have referenced 0.10.2 as a safe target version; HarborGuard will validate and trigger rebuilds as soon as that version is confirmed clean in the advisory record). For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once the upstream fix is verified.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The malicious payload communicates outbound over the network; the compromised environment must have egress connectivity for the attacker to receive exfiltrated data or issue commands.
AuthenticationNot required
No authentication is required; any process that imports the compromised package triggers the malicious code without needing credentials.
Victim interactionRequired
A developer or automated pipeline must actively install or import guardrails-ai==0.10.1, making the install or build step the social-engineering or CI/CD pipeline vector.
Attack complexityDetail
Exploit conditions are straightforward and reliable once the malicious package is present; no race condition or special memory layout is needed.

Blast Radius

Reads secrets accessible from the build or runtime environment, including GitHub personal access tokens, cloud provider credential files, package registry tokens, and API keys stored in environment variables or config files.
Modifies the environment by potentially writing unauthorized GitHub Actions workflows or creating rogue repositories under the victim's GitHub account.
Exfiltrates captured credentials to attacker-controlled infrastructure over outbound network connections.
Disrupts downstream CI/CD pipelines and deployed services if rotated credentials are embedded in running workloads before the compromise is discovered.

How HarborGuard Handles This

Available on HarborGuard: detection of guardrails-ai==0.10.1 is active across all scanning pipelines, and any image containing this package version is flagged as Critical immediately. Because no upstream fix version has been formally confirmed in the advisory record at time of publication, HarborGuard re-checks the advisory on every ingest cycle; once 0.10.2 (or a later version) is confirmed clean, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads without manual intervention. In the interim, recommended compensating controls include: applying network-egress policies to block outbound connections from build and runtime containers to unknown destinations; auditing image build logs for any pip install invocations that resolved to 0.10.1; and, for any environment where this version was installed, rotating all credentials that were accessible during the build or runtime phase (GitHub PATs, cloud provider keys, registry tokens, API keys) and reviewing GitHub account activity for unauthorized workflows or repository changes.

See how HarborGuard automates this

Affected packages

guardrails-ai / guardrails
= 0.10.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified