Critical Marimo Python Notebook Vulnerability Exploited for Remote Code Execution A severe security flaw in the Marimo Python notebook framework (CVE-2026-39987) is being actively exploited to achieve pre-authentication remote code execution (RCE), granting attackers full control over vulnerable systems. The vulnerability stems from a missing authentication check in the `/terminal/ws` WebSocket endpoint, allowing unauthenticated attackers to spawn system-level shells without credentials. ### Key Details - Affected Versions: Marimo ≤ 0.22.x - Exploitation Method: Attackers connect to `ws://target:2718/terminal/ws`, bypassing authentication and gaining interactive shell access. - Active Threats: The flaw is being weaponized to deploy NKAbuse malware, with payloads hosted on Hugging Face Spaces, a popular AI/ML platform. - Impact: Successful exploitation enables full system compromise, data theft (API keys, credentials, proprietary AI models), lateral movement, and persistence via cron jobs or container escapes. ### Technical Breakdown The vulnerability arises from inconsistent authentication enforcement while most Marimo endpoints are protected, the `/terminal/ws` WebSocket endpoint lacks access controls, directly spawning a pseudo-terminal (`pty.fork()`) upon connection. A simple Python exploit can execute arbitrary commands, turning the instance into a remotely accessible terminal. ### Broader Risks Marimo is widely used in AI/ML prototyping, data science, and internal analytics, often in cloud or containerized environments with access to sensitive resources. A single breach can escalate into a broader infrastructure compromise, particularly in trusted internal networks. ### Mitigation - Upgrade to Marimo 0.23.0 or later to patch the flaw. - Restrict network exposure via VPNs or authenticated reverse proxies. - Run containers as non-root and limit privileges. - Monitor for suspicious WebSocket activity and shell spawning. The incident highlights the growing abuse of legitimate AI platforms for malware distribution and underscores the need for strict authentication enforcement in WebSocket endpoints.

Critical Marimo RCE Vulnerability Exploited Within Hours of Disclosure A severe remote code execution (RCE) vulnerability in Marimo, an open-source Python notebook platform, was actively exploited just 9 hours and 41 minutes after its public disclosure on April 8, 2026. Tracked as CVE-2026-39987 (CVSS 9.3), the flaw allows unauthenticated attackers to gain a full interactive shell on exposed instances. The vulnerability affects Marimo versions 0.20.4 and earlier, specifically targeting the /terminal/ws WebSocket endpoint, which lacks proper authentication checks. Unlike other endpoints, this path fails to validate user sessions, enabling attackers to establish a persistent shell with the privileges of the Marimo process without requiring credentials or complex payloads. Security firm Sysdig detected the first exploitation attempts using honeypot servers. The attack began with an automated script to confirm RCE, followed by a human operator manually navigating the victim’s filesystem. Within three minutes, the attacker extracted a .env file containing sensitive cloud credentials, including AWS access keys. Notably, no public proof-of-concept (PoC) exploit existed at the time, suggesting threat actors rapidly weaponized the flaw using details from the advisory potentially leveraging AI to accelerate exploit development. The incident underscores a growing trend of attackers targeting niche software, not just mainstream platforms. Marimo, used by data scientists and AI researchers, has ~20,000 GitHub stars. The patched version (0.23.0) closes the vulnerable endpoint, but organizations are advised to review logs for unauthorized access and rotate exposed credentials.