ByteOS Network

NVD Vulnerability Details :

CVE-2026-31233

Deferred

Source-cve@mitre.org

Published At-12 May, 2026 | 18:16

Updated At-14 May, 2026 | 20:17

Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-94	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-94

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://github.com/guardrails-ai/guardrails	cve@mitre.org	N/A
https://www.notion.so/CVE-2026-31233-35d1e13931888142a954fb3f50ee0c94	cve@mitre.org	N/A

Hyperlink: https://github.com/guardrails-ai/guardrails

Source: cve@mitre.org

Resource: N/A

Hyperlink: https://www.notion.so/CVE-2026-31233-35d1e13931888142a954fb3f50ee0c94

Source: cve@mitre.org

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History