CVE-2026-31233 — Remote code execution via Guardrails Hub post_install script execution

MITRE service request: 1988584

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.

Summary

guardrails hub install hub://vendor/pkg downloads manifests that may reference arbitrary post_install.py paths. The client runs those scripts with the active Python interpreter after pip install, giving package authors persistent RCE on victims’ workstations.

Affected product and versions

• Product: guardrails-ai/guardrails.
• Affected range (coordination record): through v0.6.7 (commit 0134069d6e0a7c4ac74bfc0b9e7be417e6ed79a0).

Technical details

• Surface: guardrails hub install pulling manifests from Guardrails Hub.
• Sink: subprocess.check_output / equivalent executing post_install script path from manifest JSON.
• Impact: RCE during install as the invoking user.
• Threat model: Malicious Hub publisher or compromised Hub account.

Risk

Critical — install-time RCE is equivalent to supply-chain takeover of developer machines.

Remediation / workaround

• Vet Hub packages; mirror trusted manifests offline; disable auto post-install hooks until patched.
• Vendor fix TBD.