Hugging Face and Marimo: Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks

Critical Marimo Python Notebook Vulnerability Exploited for Remote Code Execution

A severe security flaw in the Marimo Python notebook framework (CVE-2026-39987) is being actively exploited to achieve pre-authentication remote code execution (RCE), granting attackers full control over vulnerable systems. The vulnerability stems from a missing authentication check in the /terminal/ws WebSocket endpoint, allowing unauthenticated attackers to spawn system-level shells without credentials.

Key Details

• Affected Versions: Marimo ≤ 0.22.x
• Exploitation Method: Attackers connect to ws://target:2718/terminal/ws, bypassing authentication and gaining interactive shell access.
• Active Threats: The flaw is being weaponized to deploy NKAbuse malware, with payloads hosted on Hugging Face Spaces, a popular AI/ML platform.
• Impact: Successful exploitation enables full system compromise, data theft (API keys, credentials, proprietary AI models), lateral movement, and persistence via cron jobs or container escapes.

Technical Breakdown

The vulnerability arises from inconsistent authentication enforcement while most Marimo endpoints are protected, the /terminal/ws WebSocket endpoint lacks access controls, directly spawning a pseudo-terminal (pty.fork()) upon connection. A simple Python exploit can execute arbitrary commands, turning the instance into a remotely accessible terminal.

Broader Risks

Marimo is widely used in AI/ML prototyping, data science, and internal analytics, often in cloud or containerized environments with access to sensitive resources. A single breach can escalate into a broader infrastructure compromise, particularly in trusted internal networks.

Mitigation

• Upgrade to Marimo 0.23.0 or later to patch the flaw.
• Restrict network exposure via VPNs or authenticated reverse proxies.
• Run containers as non-root and limit privileges.
• Monitor for suspicious WebSocket activity and shell spawning.

The incident highlights the growing abuse of legitimate AI platforms for malware distribution and underscores the need for strict authentication enforcement in WebSocket endpoints.

Source: https://cybersecuritynews.com/marimo-security-vulnerability/

Hugging Face TPRM report: https://www.rankiteo.com/company/huggingface

Marimo TPRM report: https://www.rankiteo.com/company/marimo-io

"id": "marhug1779193669",
"linkid": "marimo-io, huggingface",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'AI/ML, Data Science',
                        'name': 'Marimo',
                        'type': 'Software Framework'}],
 'attack_vector': 'WebSocket endpoint (/terminal/ws)',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'API keys, credentials, '
                                             'proprietary AI models'},
 'description': 'A severe security flaw in the Marimo Python notebook '
                'framework (CVE-2026-39987) is being actively exploited to '
                'achieve pre-authentication remote code execution (RCE), '
                'granting attackers full control over vulnerable systems. The '
                'vulnerability stems from a missing authentication check in '
                'the `/terminal/ws` WebSocket endpoint, allowing '
                'unauthenticated attackers to spawn system-level shells '
                'without credentials.',
 'impact': {'data_compromised': 'API keys, credentials, proprietary AI models',
            'operational_impact': 'Full system compromise, lateral movement, '
                                  'persistence via cron jobs or container '
                                  'escapes',
            'systems_affected': 'Marimo Python notebook framework (≤ 0.22.x)'},
 'initial_access_broker': {'entry_point': 'WebSocket endpoint (/terminal/ws)'},
 'lessons_learned': 'The incident highlights the growing abuse of legitimate '
                    'AI platforms for malware distribution and underscores the '
                    'need for strict authentication enforcement in WebSocket '
                    'endpoints.',
 'post_incident_analysis': {'corrective_actions': 'Authentication enforcement '
                                                  'for WebSocket endpoints, '
                                                  'patching vulnerable '
                                                  'versions',
                            'root_causes': 'Missing authentication check in '
                                           'the `/terminal/ws` WebSocket '
                                           'endpoint'},
 'ransomware': {'ransomware_strain': 'NKAbuse malware'},
 'recommendations': 'Upgrade to Marimo 0.23.0 or later, restrict network '
                    'exposure, run containers as non-root, limit privileges, '
                    'monitor for suspicious WebSocket activity and shell '
                    'spawning.',
 'references': [{'source': 'Hugging Face Spaces'}],
 'response': {'containment_measures': 'Upgrade to Marimo 0.23.0 or later, '
                                      'restrict network exposure via VPNs or '
                                      'authenticated reverse proxies',
              'enhanced_monitoring': 'Monitor for suspicious WebSocket '
                                     'activity and shell spawning',
              'remediation_measures': 'Run containers as non-root, limit '
                                      'privileges'},
 'title': 'Critical Marimo Python Notebook Vulnerability Exploited for Remote '
          'Code Execution',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-39987'}