Critical Marimo Python Notebook Vulnerability Exploited for Remote Code Execution A severe security flaw in the Marimo Python notebook framework (CVE-2026-39987) is being actively exploited to achieve pre-authentication remote code execution (RCE), granting attackers full control over vulnerable systems. The vulnerability stems from a missing authentication check in the `/terminal/ws` WebSocket endpoint, allowing unauthenticated attackers to spawn system-level shells without credentials. ### Key Details - Affected Versions: Marimo ≤ 0.22.x - Exploitation Method: Attackers connect to `ws://target:2718/terminal/ws`, bypassing authentication and gaining interactive shell access. - Active Threats: The flaw is being weaponized to deploy NKAbuse malware, with payloads hosted on Hugging Face Spaces, a popular AI/ML platform. - Impact: Successful exploitation enables full system compromise, data theft (API keys, credentials, proprietary AI models), lateral movement, and persistence via cron jobs or container escapes. ### Technical Breakdown The vulnerability arises from inconsistent authentication enforcement while most Marimo endpoints are protected, the `/terminal/ws` WebSocket endpoint lacks access controls, directly spawning a pseudo-terminal (`pty.fork()`) upon connection. A simple Python exploit can execute arbitrary commands, turning the instance into a remotely accessible terminal. ### Broader Risks Marimo is widely used in AI/ML prototyping, data science, and internal analytics, often in cloud or containerized environments with access to sensitive resources. A single breach can escalate into a broader infrastructure compromise, particularly in trusted internal networks. ### Mitigation - Upgrade to Marimo 0.23.0 or later to patch the flaw. - Restrict network exposure via VPNs or authenticated reverse proxies. - Run containers as non-root and limit privileges. - Monitor for suspicious WebSocket activity and shell spawning. The incident highlights the growing abuse of legitimate AI platforms for malware distribution and underscores the need for strict authentication enforcement in WebSocket endpoints.

Critical RCE Vulnerability in Hugging Face’s LeRobot Exposes AI and Robotics Systems A severe remote code execution (RCE) vulnerability, tracked as CVE-2026-25874 (CVSS 9.8), has been discovered in Hugging Face’s LeRobot, an open-source robotics machine learning framework with over 21,500 GitHub stars. The flaw allows unauthenticated attackers to execute arbitrary system commands on vulnerable deployments, posing a significant risk to AI and research environments leveraging distributed GPU-based inference. The vulnerability stems from LeRobot’s asynchronous inference architecture, where policy computations are offloaded to a GPU-backed gRPC-based PolicyServer. The server uses Python’s `pickle.loads()` function to deserialize incoming data across multiple RPC endpoints including `SendPolicyInstructions` and `SendObservations` without proper validation. Since `pickle` inherently permits arbitrary code execution during deserialization, malicious payloads can trigger system-level commands before type checks are enforced. Compounding the risk, the gRPC service is configured with `add_insecure_port()`, exposing communications without TLS or authentication. While LeRobot binds to localhost by default, production deployments often expose the service to `0.0.0.0`, enabling remote exploitation. Attackers with network access can scan for exposed instances and deliver crafted payloads without authentication, making the flaw highly scalable. Security researcher chocapikk identified that the vulnerability arises from unsafe deserialization occurring before validation, allowing malicious objects to execute even if later rejected. Notably, affected code sections included `#nosec` comments, indicating developers bypassed security linter warnings despite known risks. To mitigate CVE-2026-25874, organizations are advised to: - Replace `pickle` with secure alternatives like JSON, native protobuf fields, or Hugging Face’s `safetensors`. - Enable TLS encryption by switching to `add_secure_port()`. - Implement gRPC authentication via interceptors and token-based access controls. The incident underscores persistent security gaps in machine learning frameworks, where rapid prototyping often overrides secure coding practices. Despite Hugging Face’s development of `safetensors` to address serialization risks, the flaw highlights inconsistent security implementation in distributed AI systems. As ML frameworks integrate deeper into production and robotics, secure design principles must become a foundational requirement, particularly for architectures handling untrusted network input.

Critical RCE Vulnerability in HuggingFace Transformers Library Exposes AI Supply Chains A newly disclosed critical vulnerability in the HuggingFace Transformers library, tracked as CVE-2026-4372, enables remote code execution (RCE) via malicious model configuration files. The flaw poses a severe supply chain risk, affecting developers, enterprises, and AI pipelines worldwide. The vulnerability stems from improper handling of untrusted data in the `_attn_implementation_internal` attribute within a model’s `config.json` file. Attackers can inject this field to force the library to execute arbitrary Python code during model loading even when the `trust_remote_code=False` security setting is enabled, bypassing a key protection mechanism. The issue impacts Transformers versions 4.56.0 through 5.2.x when used with the optional `kernels` package. Introduced in August 2025, the flaw remained exploitable until March 2026, exposing users for approximately six months. During this period, loading a malicious model from HuggingFace Hub via the `from_pretrained()` function could silently compromise systems. In a typical attack, threat actors upload a model with a crafted `config.json` file pointing to an attacker-controlled repository. When loaded, the library automatically downloads and executes the referenced code without validation, granting attackers access to sensitive data including AWS credentials, SSH keys, API tokens, and environment variables. Exploitation also enables persistence, lateral movement, and potential compromise of CI/CD pipelines. The attack is stealthy, producing no warnings or visible indicators, making detection difficult. With 2.2 billion installs and 146 million monthly downloads, the Transformers library’s widespread use amplifies the risk. Over one million models on HuggingFace Hub and an estimated 232 million vulnerable installations during the exposure window further expand the attack surface. Researchers at Pluto Security highlighted that the flaw reflects a broader issue in machine learning ecosystems: treating model files and configurations as trusted inputs. Similar vulnerabilities have been observed in other frameworks, where "safe" modes fail to prevent code execution due to unaccounted internal pathways. HuggingFace patched the issue in version 5.3.0 by blocking unsafe internal attributes and enforcing stricter kernel-loading controls. The fix now requires explicit user consent (`trust_remote_code=True`) for external code execution. The incident underscores the growing threat to AI supply chains as attackers increasingly target model distribution platforms.