A critical zero-day vulnerability in the Marimo reactive Python notebook, identified as CVE-2026-39987, has been actively exploited by attackers to deploy a blockchain-based backdoor. This flaw, which has a CVSS score of 9.3, was exploited in the wild before its disclosure on April 9, 2026, highlighting the urgency for users to update their systems.
The vulnerability resides in the terminal WebSocket endpoint `/terminal/ws` of Marimo, which lacks authentication validation. This oversight allows unauthenticated attackers to gain a full PTY shell, enabling them to execute arbitrary system commands. The flaw is categorized under CWE-306, indicating a lack of authentication for critical functionality.
Attackers have weaponized this vulnerability to spread a sophisticated blockchain-based backdoor via the Hugging Face platform. This tactic involves leveraging the platform's popularity to distribute malicious payloads, thereby increasing the reach and impact of the attack. The backdoor, once installed, provides attackers with persistent access to compromised systems, allowing them to execute further malicious activities.
The exploitation of CVE-2026-39987 was swift, occurring within hours of its disclosure. This rapid exploitation underscores the critical nature of the vulnerability and the need for immediate defensive measures. The availability of at least five proof-of-concept exploits has further facilitated the spread of attacks, making it imperative for organizations using Marimo to prioritize patching.
Marimo users are urged to upgrade to version 0.23.0 or later, which addresses this security flaw. The update introduces necessary authentication checks to the vulnerable WebSocket endpoint, effectively mitigating the risk of unauthorized access and command execution.
Security teams should also monitor network traffic for unusual activity associated with the Hugging Face platform, as this has been a key vector in the current attack campaign. Implementing strict access controls and network segmentation can help limit the potential impact of any successful exploit attempts.
Given the critical severity of CVE-2026-39987 and its active exploitation, organizations must act swiftly to secure their systems. Regularly updating software and applying security patches are essential practices to defend against such zero-day vulnerabilities.
CSURFACE