Summary
Workarounds
1. Pin to a safe version:
guardrails-ai==0.10.0
2. While the PyPI quarantine is active, install from GitHub:
pip install git+https://github.com/guardrails-ai/[email protected]
The v0.10.0 tag in this repository is clean. Track quarantine status here: #1473.
3. If you installed 0.10.1, treat the host as potentially compromised. Rotate any credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories.
4. Snowglobe and Guardrails Hub users : all Snowglobe and Guardrails Hub API keys will be invalidated at 2:00 PM Pacific on May 13, 2026. Rotate yours before then to avoid service interruption.
References
- Full advisory, timeline, and remediation details: SECURITY_ADVISORY.md
Impact
On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI.
Affected: any user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026.
Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems.
For the full timeline, technical details, and remediation steps we have taken, see SECURITY_ADVISORY.md.
CVE-2026-45758 has a CVSS score of 9.6 (Critical). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
No patched version above 0.10.1 is available yet. Downgrade to 0.10.0, which is unaffected.
Frequently Asked Questions
- What is CVE-2026-45758? CVE-2026-45758 is a critical-severity security vulnerability in guardrails-ai (pip), affecting versions = 0.10.1. No fixed version is listed yet.
- How severe is CVE-2026-45758? CVE-2026-45758 has a CVSS score of 9.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of guardrails-ai are affected by CVE-2026-45758? guardrails-ai (pip) versions = 0.10.1 is affected.
- Is there a fix for CVE-2026-45758? No fixed version is listed for CVE-2026-45758 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-45758 exploitable, and should I be worried? Whether CVE-2026-45758 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45758 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.