Marimo, a popular open‑source reactive Python notebook used in data science and AI workflows, is under active attack following the disclosure of a critical pre‑authentication remote code execution flaw tracked as CVE‑2026‑39987 (CVSS 9.3).
CVE‑2026‑39987 is a pre‑authorization remote code execution (RCE) vulnerability affecting Marimo instances before version 0.23.0, including widely deployed 0.20.4 releases. The bug stems from a missing authentication check on the /terminal/ws WebSocket endpoint, which exposes a full PTY shell to anyone with network access to the service.
Unlike other WebSocket endpoints such as /ws, which correctly invoke validate_auth(), /terminal/ws only verifies running mode and platform support and completely skips authentication.
Marimo Pre‑Auth RCE Vulnerability
This design flaw allows an unauthenticated attacker to obtain an interactive shell and execute arbitrary system commands with the privileges of the Marimo process.
Because Marimo is frequently run on servers that also hold source code, model artifacts, datasets, and secrets, an attacker can quickly pivot from notebook access to full environment compromise. The issue has been patched in Marimo version 0.23.0 and later, which restores proper authentication checks for the terminal endpoint and closes the RCE vector.
Security researchers report that threat actors began exploiting CVE‑2026‑39987 less than 10 hours after public disclosure, illustrating the shrinking window between advisory publication and real‑world attacks.
Honeypot data and cloud telemetry show automated internet‑wide scanning for exposed Marimo instances, typically on default ports such as 10101, followed by rapid weaponization of the single‑request exploit.
Threat Research Team observed hundreds of exploit attempts in just a few days, originating from multiple unique IPs across numerous countries, with attackers repeatedly reconnecting to validate access and loot credentials.
In one cluster of activity, miscreants used the RCE to deploy a previously undocumented variant of the Go‑based NKAbuse malware, which leverages the NKN blockchain network for command‑and‑control and can turn compromised hosts into nodes in a decentralized botnet.
Other observed post‑exploitation actions include reading .env harvesting API keys, attempting to install cryptocurrency miners and reverse shells for persistence, and more.
At the technical level, CVE‑2026‑39987 is a broken authentication control mapped to CWE‑306 (Missing Authentication for Critical Function). The terminal WebSocket endpoint was designed to provide an interactive shell tied to the notebook environment. Still, the implementation failed to enforce the same authentication path as other real‑time endpoints.
As a result, any remote actor who can reach /terminal/ws can upgrade a simple WebSocket connection into a fully interactive PTY session on the host, without supplying credentials or session tokens.
The practical impact is severe for organizations running Marimo in shared research clusters, CI/CD environments, or cloud AI stacks. An attacker who gains shell access can:
- Exfiltrate sensitive training data, model weights, and proprietary code stored on the host.
- Steal cloud credentials, API keys, and database passwords from configuration files and environment variables.
- Deploy additional malware, including botnets or ransomware staging tools, for lateral movement and monetization.
- Tamper with experiments or pipelines, quietly poisoning data or models in MLOps workflows.
Because exploitation is pre‑auth and “single‑shot,” defenders cannot rely on password hygiene or MFA alone; once the endpoint is reachable, compromise can occur via a single crafted request.
Mitigation and Detection
The highest‑priority action for defenders is to upgrade all Marimo deployments to version 0.23.0 or newer, where the vulnerable terminal endpoint behavior is corrected, CISA reported.
Organizations should treat unpatched instances as actively exposed and follow emergency patch management processes, including those recommended in applicable federal directives for cloud services and third‑party software.
From a detection and response standpoint, defenders should:
- Hunt for connections to
/terminal/wsfrom external or unexpected IP ranges in reverse proxy, WAF, and application logs. - Review shell history, process lists, and recently modified files on Marimo hosts for signs of post‑exploitation activity, including mining binaries or unfamiliar Go executables (potential NKAbuse variants).
- Rotate credentials exposed in
.env, configuration files and notebook cells on any system where suspicious access is identified. - Integrate specific IOCs and behavioral rules from recent threat research into SIEM and EDR tooling, focusing on anomalous outbound connections and blockchain‑based C2 patterns.
Longer term, teams should ensure that developer and data‑science tooling adhere to least‑privilege principles, with strong authentication, segmented networks, and explicit monitoring of “convenience” features such as embedded terminals, which frequently become high‑value entry points.
FAQ
What is CVE‑2026‑39987 in Marimo?
CVE‑2026‑39987 is a critical pre‑auth remote code execution flaw in Marimo’s /terminal/ws endpoint that grants unauthenticated shell access.
Which Marimo versions are affected by this vulnerability?
All Marimo releases before 0.23.0, including 0.20.4, are affected.
Is CVE‑2026‑39987 being exploited in the wild?
Yes, multiple security firms have confirmed automated scanning and active exploitation within hours of public disclosure.
How can organizations mitigate the Marimo RCE risk today?
Upgrade to Marimo 0.23.0+, remove public exposure, enforce network and auth controls, and hunt for /terminal/ws access and malware on affected hosts.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
