By zerosday news•April 10, 2026•

news

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

Marimo RCE Vulnerability (CVE-2026-39987): Critical Unauthenticated WebSocket Flaw Actively Exploited

For General Readers (Journalistic Brief)

A serious security vulnerability has been discovered in Marimo, a widely used open-source tool that helps data scientists and analysts create interactive reports and notebooks. This flaw, identified as CVE-2026-39987, allows attackers to take complete control of any Marimo installation that is accessible from the internet, all without needing any login credentials.

The problem lies within a specific feature of Marimo that provides a command-line interface (terminal) to the server. Researchers found that this terminal connection point was not properly secured. This means anyone could connect to it and run commands as if they were a legitimate user, which is a significant risk given that Marimo often handles sensitive data.

Alarmingly, security experts observed an attacker actively exploiting this vulnerability within just 10 hours of its public announcement. The attacker successfully gained a full command-line shell, allowing them to explore the system, search for sensitive information like API keys and login credentials, and potentially cause damage. This rapid exploitation highlights a concerning trend where cybercriminals are quick to weaponize newly revealed security weaknesses, leaving organizations with minimal time to protect themselves.

This incident serves as a critical reminder that even specialized tools, if exposed online, can become targets for cyberattacks. It emphasizes the urgent need for prompt security updates and robust monitoring systems to defend against these fast-moving threats.

Technical Deep-Dive

1. Executive Summary

CVE ID: CVE-2026-39987
CVSS Score: 9.3 (Critical)
Affected Products: Marimo, all versions prior to and including 0.20.4.
Severity Classification: Critical Remote Code Execution (RCE) due to pre-authentication vulnerability.
Exploitation Status: Actively exploited in the wild within 10 hours of public disclosure.
Impact: Allows unauthenticated attackers to gain a full PTY shell, execute arbitrary system commands, and potentially exfiltrate sensitive data.

2. Technical Vulnerability Analysis

CVE ID and Details: CVE-2026-39987. Publication Date: Not publicly disclosed at the time of analysis, but exploitation observed within 10 hours of disclosure. CVSS v3.1 Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Exploitability Metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged. Impact Metrics: Confidentiality: High, Integrity: High, Availability: High).
Root Cause (Code-Level): The vulnerability stems from insufficient authentication and authorization checks on the /terminal/ws WebSocket endpoint within the Marimo application. Specifically, the code responsible for handling terminal WebSocket connections fails to invoke the validate_auth() function, which is a critical security control used by other WebSocket endpoints (e.g., /ws) to authenticate incoming connections. Instead, the /terminal/ws endpoint proceeds with checks only for the application's running mode and platform support before establishing a connection. This bypass allows any unauthenticated user to initiate a WebSocket connection to this endpoint, effectively gaining a PTY (pseudo-terminal) shell on the server. The identified CWE is CWE-306: "Authentication Bypass by Alternate Path or Function."
- Code Pattern (Conceptual):
```
# Simplified representation of the vulnerable logic in Marimo's server component
@app.websocket("/terminal/ws")
async def terminal_websocket_endpoint(websocket: WebSocket):
    # CRITICAL OMISSION: The validate_auth() function is NOT called here.
    # This bypasses the primary authentication mechanism.

    # The code proceeds directly to mode and platform checks:
    if not is_running_in_supported_mode(app.config) or not is_platform_supported(app.config):
        await websocket.close(code=1008, reason="Unsupported mode or platform")
        return

    # Without authentication, it establishes a PTY shell:
    await handle_pty_shell(websocket, app.config)
```
Affected Components: Marimo, all versions prior to and including 0.20.4. The vulnerability is present in the web server component responsible for managing WebSocket connections.
Attack Surface: The /terminal/ws WebSocket endpoint exposed by the Marimo web server. This endpoint is accessible over the network if the Marimo instance is exposed to the internet or is reachable from a compromised internal network segment.

3. Exploitation Analysis (Red-Team Focus)

Red-Team Exploitation Steps:
1. Prerequisites: A Marimo instance running a vulnerable version (<= 0.20.4) that is network-accessible. No specific firewall ports beyond Marimo's standard web interface port (typically 8000, over HTTP/HTTPS) are required.
2. Access Requirements: Unauthenticated. The attacker does not require any credentials or prior access to the Marimo instance.
3. Exploitation Steps:
  - Establish a WebSocket connection to the vulnerable endpoint: ws://<target_ip>:<port>/terminal/ws.
  - Upon successful connection establishment, the attacker is granted a PTY (pseudo-terminal) shell.
  - The attacker can then execute arbitrary commands on the underlying operating system of the server hosting the Marimo application.
4. Payload Delivery: Direct command execution via the established PTY shell. No distinct "payload" in the traditional sense is delivered; commands are executed directly by the attacker's input.
5. Post-Exploitation: Manual reconnaissance (e.g., ls, pwd, whoami), data exfiltration (e.g., .env files, SSH keys, sensitive configuration files), privilege escalation attempts (dependent on the target OS and Marimo process privileges), and potential lateral movement within the compromised network.
Public PoCs and Exploits: No specific public PoC or exploit tool name was disclosed at the time of the initial report. However, the report indicates that the attacker was able to construct a working exploit "directly from the advisory description," suggesting the vulnerability's nature was sufficiently clear for manual exploitation without pre-existing code.
Exploitation Prerequisites: The Marimo application must be running version <= 0.20.4. The Marimo instance must be network-accessible from the attacker's originating location.
Automation Potential: High. Once a target is identified and network accessibility is confirmed, the initial connection to the WebSocket endpoint and subsequent command execution can be fully automated. While the reconnaissance and data exfiltration observed were manual, these activities can be scripted. The vulnerability is highly suitable for automated scanning and exploitation, and potentially for worm-like propagation if a mechanism for discovering and targeting other Marimo instances is implemented.
Attacker Privilege Requirements: Unauthenticated. The attacker requires no prior privileges on the Marimo instance or the underlying host system.
Worst-Case Scenario: An unauthenticated attacker gains full remote code execution with the privileges of the user running the Marimo process. This can lead to:
- Confidentiality: Complete compromise of all data processed or stored by Marimo, including sensitive datasets, API keys, user credentials, and system configuration files. Exfiltration of SSH private keys could grant access to other systems within the network.
- Integrity: Modification or deletion of data, configuration files, or the Marimo application itself. Installation of malicious software such as ransomware, backdoors, or cryptominers.
- Availability: Disruption of Marimo services, denial of service through resource exhaustion, or complete system compromise leading to unavailability.

4. Vulnerability Detection (SOC/Defensive Focus)

How to Detect if Vulnerable:
- Version Check: The most direct method is to verify the installed version of Marimo. If the version is <= 0.20.4, the system is vulnerable. This can typically be achieved by inspecting package manager lists (e.g., pip list | grep marimo) or application deployment configurations.
- Process Analysis: Identify running Marimo processes. The specific command line arguments might reveal the installation path and version.
- Configuration Artifacts: If Marimo is deployed via configuration management tools or container orchestration platforms, examine those configurations for the installed version.
- Proof-of-Concept Detection Test (Safe): A safe test involves attempting to establish a WebSocket connection to /terminal/ws from an isolated network segment or using a tool like websocat or a custom Python script. A successful connection without any authentication prompt or error related to authentication indicates vulnerability. Caution: This test should only be performed on systems you have explicit authorization to test and within a controlled, isolated environment.
```
# Example using websocat (install if needed: cargo install websocat)
# This command attempts to connect. If it hangs or prompts for authentication, it's likely patched.
# If it establishes a connection and allows command input, it's vulnerable.
websocat ws://<target_ip>:<port>/terminal/ws
```
Indicators of Compromise (IOCs):
- File Hashes: Not directly applicable unless malware is dropped. However, if the attacker downloads tools or scripts, their hashes could become IOCs.
- Network Indicators:
  - Unusual WebSocket connections to the Marimo port, particularly from unexpected external IP addresses.
  - Specific connections to the /terminal/ws endpoint.
  - Outbound connections initiated from the Marimo server to suspicious external IPs or domains, especially for data exfiltration or command-and-control (C2) communication.
  - Connections on non-standard ports if the attacker attempts to establish reverse shells.
- Process Behavior Patterns:
  - Execution of unusual shell commands (e.g., whoami, id, ls -la, cat /etc/passwd, find / -name "*.env", ssh-keygen, curl, wget) originating from the Marimo process user, especially if these commands are executed in an unexpected context.
  - Processes spawned by the user running Marimo that are not typically associated with its normal operation (e.g., network scanning tools, cryptominers, reverse shell clients).
  - Attempts to create or modify SSH authorized_keys files.
- Registry/Config Changes: Modifications to system configuration files, user profiles, or the .env file within the Marimo application directory.
- Log Signatures:
  - Web server logs showing connections to /terminal/ws.
  - Application logs indicating errors or unusual activity related to WebSocket handling.
  - System logs (e.g., auth.log, syslog, Windows Event Logs) showing suspicious command executions or user activity originating from the Marimo process user.

SIEM Detection Queries:

KQL (Azure Sentinel / Microsoft Defender for Endpoint):

// Detect suspicious WebSocket connections to Marimo's terminal endpoint
let marimo_process_name = "marimo"; // Adjust if process name differs
let marimo_terminal_endpoint = "/terminal/ws";
let suspicious_commands = dynamic(["whoami", "id", "ls", "cat", "find", "ssh", "curl", "wget", ".env", "grep", "ps", "netstat"]);

DeviceNetworkEvents
| where RemoteUrl endswith marimo_terminal_endpoint
| where InitiatingProcessName contains marimo_process_name or InitiatingProcessVersionInfoOriginalFileName contains marimo_process_name // Adjust based on telemetry
| extend Command = extract(".*", 1, RemoteUrl) // Basic extraction, may need refinement for complex URLs
| where Command !in ("") // Filter out empty commands if any
| project Timestamp, DeviceName, InitiatingProcessName, RemoteUrl, RemoteIP, LocalIP, LocalPort, Command
| extend SuspiciousCommandDetected = iff(Command in suspicious_commands, "Yes", "No")
| where SuspiciousCommandDetected == "Yes" // Filter for commands that are part of reconnaissance or privilege escalation
| project Timestamp, DeviceName, InitiatingProcessName, RemoteUrl, RemoteIP, LocalIP, LocalPort, Command, SuspiciousCommandDetected

SPL (Splunk):

# Detect suspicious WebSocket connections to Marimo's terminal endpoint
index=* sourcetype=access_combined OR sourcetype=iis OR sourcetype=nginx OR sourcetype=apache OR sourcetype=marimo_logs
| search " /terminal/ws "
| regex " /terminal/ws "
| rename cs_uri_path as uri_path
| search uri_path="/terminal/ws"
| eval command_executed = mvindex(split(uri_path, "/"), -1) # Basic extraction, may need refinement
| search command_executed IN ("whoami", "id", "ls", "cat", "find", "ssh", "curl", "wget", ".env", "grep", "ps", "netstat")
| table _time, host, clientip, uri_path, command_executed, http_method
| rename host as Host, clientip as ClientIP, uri_path as URIPath, command_executed as CommandExecuted, http_method as HTTPMethod

Sigma Rule (Conceptual):

title: Marimo Unauthenticated Terminal WebSocket Access
id: abcdef12-3456-7890-abcd-ef1234567890
status: experimental
description: Detects network connections to the unauthenticated /terminal/ws endpoint of Marimo.
author: Your Name/Org
date: 2026/04/10
references:
    - https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html
logsource:
    category: network
    product: # Specify your network logging product (e.g., Zeek, Suricata, firewall logs)
detection:
    selection:
        destination_port: 8000 # Or Marimo's configured port
        # For web proxy/WAF logs:
        url|endswith: "/terminal/ws"
        # For specific network traffic logs (e.g., Zeek http log):
        # protocol: "ws"
        # method: "GET" # WebSocket handshake often starts with GET
    condition: selection
falsepositives:
    - Legitimate Marimo usage if the endpoint were ever intended for unauthenticated access (highly unlikely).
level: critical
tags:
    - attack.t1071.t1071.001 # Web Protocols
    - attack.t1573 # Encrypted Channel
    - cve-2026-39987

Behavioral Indicators:
- A sudden and significant increase in network traffic originating from the Marimo server, particularly outbound connections.
- Execution of commands related to file enumeration, credential harvesting, or network scanning originating from the Marimo process user.
- Creation of new user accounts or modification of existing user privileges on the server.
- Installation of unauthorized software or scripts on the host.
- Attempts to disable or tamper with security logging or monitoring tools.
- Repeated access to the compromised system by the attacker over a period, indicating manual operation and confirmation of findings.

5. Mitigation & Remediation (Blue-Team Focus)

Official Patch Information: Marimo version 0.23.0 includes a fix for this vulnerability. Users are strongly advised to update to version 0.23.0 or a later release.
- Fix Commit: Not publicly disclosed in the source article, but confirmed to be present in version 0.23.0.
Workarounds & Temporary Fixes:
- Network Segmentation: Isolate Marimo instances from the broader network, especially the internet. Restrict inbound access to only trusted IP addresses or networks.
- Firewall Rules: Implement strict firewall rules to block all inbound traffic to the Marimo port (default 8000) from untrusted sources. This is the most effective immediate control for internet-facing instances.
- Web Application Firewall (WAF): If Marimo is exposed via a WAF, configure rules to block WebSocket connections to /terminal/ws from unauthenticated sources. This may require advanced WAF capabilities for deep packet inspection of WebSocket traffic.
- Disable WebSocket Endpoint (if possible): If Marimo offers configuration options to disable specific WebSocket endpoints or features, disable the terminal functionality if it is not critically required. This is unlikely to be a configurable option in the affected versions.
- Reverse Proxy with Authentication: Place a reverse proxy (e.g., Nginx, Traefik) in front of Marimo that enforces authentication before forwarding traffic. This requires careful configuration to correctly handle WebSocket proxying and may not protect the /terminal/ws endpoint if it's not properly proxied or if the proxy itself is vulnerable.
- Access Control: Ensure that only authorized users and systems can access the Marimo instance.
Manual Remediation Steps (Non-Automated):
1. Backup: Perform a full backup of any critical data or configurations associated with the Marimo instance.
2. Identify Vulnerable Instances: Conduct an environment scan to identify all Marimo installations and their respective versions.
3. Update Marimo: The primary and most effective remediation is to update Marimo to version 0.23.0 or later.
  - Using pip:
```
pip uninstall marimo
pip install marimo --upgrade
```
  - If installed via other means (e.g., Docker, system package): Follow the specific update procedures provided by the vendor or distribution. For Docker, pull the latest image and redeploy the container.
4. Restart Marimo Service: After updating, ensure the Marimo service is restarted for the changes to take effect.
5. Verify Patch: After restarting, confirm the Marimo version is now 0.23.0 or higher.
6. Monitor: Closely monitor logs for any signs of attempted or successful exploitation before and after the patch deployment.
Risk Assessment During Remediation: During the window between disclosure and patching, the primary risk is unauthenticated RCE. Any internet-facing Marimo instance is at immediate risk of compromise. The risk is highest for instances running on servers containing sensitive data or possessing broad network access. Organizations must prioritize patching or implementing network-level controls immediately.

6. Supply-Chain & Environment-Specific Impact

CI/CD Impact: If Marimo is integrated into CI/CD pipelines for data analysis, model training, or report generation, a compromise could lead to the injection of malicious code into build artifacts, compromise of build secrets, or disruption of the pipeline's execution. The /terminal/ws endpoint could be leveraged to gain access to the build agent's operating environment.
Container/Kubernetes Impact:
- Docker: If Marimo is containerized using Docker, the vulnerability exists within the container. Exploitation would grant RCE within the container's namespace. The attacker could then attempt to break out of the container if isolation mechanisms are weak or misconfigured.
- Kubernetes: In a Kubernetes environment, exploitation of Marimo running in a pod would grant RCE within that specific pod. The impact is contingent on the pod's security context, network policies, and the privileges granted to the Marimo container. An attacker could use the compromised pod as a pivot point to attack other pods or the Kubernetes control plane if network policies are permissive. Container isolation effectiveness is paramount; a vulnerable application within a container still requires robust container runtime security and network segmentation.
Supply-Chain Implications: While Marimo itself is an application, if it relies on vulnerable dependencies or is used in the creation of other software, it could indirectly contribute to supply-chain risks. The direct impact in this scenario is on the Marimo instance itself. The speed of exploitation suggests attackers are actively scanning for and exploiting any internet-facing application with critical advisories, irrespective of its broader supply chain position.

7. Advanced Technical Analysis

Exploitation Workflow (Detailed):
1. Discovery: Attacker scans the internet for open ports running Marimo or identifies targets through other intelligence gathering methods.
2. Targeting: Attacker identifies a Marimo instance running a vulnerable version (<= 0.20.4) via banner grabbing, version fingerprinting, or direct probing.
3. WebSocket Connection: Attacker initiates a WebSocket connection to ws://<target_ip>:<port>/terminal/ws. This handshake typically involves an HTTP Upgrade request.
4. Authentication Bypass: The Marimo server, upon receiving the request at /terminal/ws, bypasses the validate_auth() check and proceeds directly to establish a PTY session.
5. Shell Access: The attacker receives a functional PTY shell, enabling interactive command execution.
6. Reconnaissance: Attacker executes commands such as whoami, id, ls -l, pwd to understand the environment and user context.
7. Data Exfiltration: Attacker searches for and reads sensitive files, including .env files (common for API keys, database credentials), SSH private keys (~/.ssh/id_rsa), configuration files, or application data.
8. Persistence/Further Actions: Depending on the attacker's objectives, they may attempt to establish persistent access (e.g., reverse shell, scheduled tasks), pivot to other systems, or deploy malware. The observed activity focused on reconnaissance and credential harvesting.
Code-Level Weakness: The primary weakness is the omission of an authentication check on the /terminal/ws endpoint. This is a classic case of insecure direct object reference or path traversal if the endpoint itself could be manipulated, but here it's a direct bypass of the authentication mechanism designed for other endpoints. The vulnerability resides in the marimo/server/api/terminal.py (or a similarly named file) where the WebSocket handler for /terminal/ws is defined and crucially lacks the call to validate_auth().
Related CVEs & Chaining:
- Similar Vulnerabilities: This vulnerability is analogous to other RCE vulnerabilities that exploit insecure WebSocket handling or API endpoints lacking proper authentication. Examples include vulnerabilities in web frameworks that expose administrative functions or debugging interfaces without authentication.
- Chaining: While not explicitly mentioned, this RCE could be chained with other vulnerabilities. For instance, if an attacker first gains low-privilege access to a system and then discovers an internet-facing, vulnerable Marimo instance, they could use the RCE to escalate privileges or pivot. Conversely, if Marimo is running with high privileges, this RCE is immediately critical.
Bypass Techniques:
- WAF/IDS/IPS Bypass: Standard WAFs may struggle to inspect the content of WebSocket traffic effectively. If the WAF only inspects the initial HTTP handshake, it might miss malicious commands sent over the established WebSocket connection. Advanced WAFs with WebSocket inspection capabilities might detect suspicious command patterns.
- EDR Bypass: EDR solutions might detect the suspicious commands executed by the Marimo process. However, if the attacker employs obfuscation techniques for commands or downloads tools that are not yet signatured, EDR bypass is possible. The rapid exploitation suggests attackers may have been using known reconnaissance techniques that EDRs might not flag as anomalous immediately.
- Sandbox Bypass: If the attacker's objective is to deploy malware, they might utilize sandbox-evasion techniques within the shell to avoid detection during initial analysis.

8. Practical Lab Testing

Safe Testing Environment Requirements:
- Isolated Network: A completely isolated network segment, disconnected from production and the internet, or a dedicated lab network with strict firewall rules.
- Virtual Machines (VMs): Utilize VMs for both the attacker and target systems.
- Docker Containers: Deploy Marimo within a Docker container in an isolated Docker network. This simplifies setup and teardown.
- Snapshots: Take VM/container snapshots before testing to facilitate easy reversion to a clean state.
How to Safely Test:
1. Set up Target: Deploy an older version of Marimo (e.g., 0.20.4) within an isolated VM or Docker container. Ensure it is accessible only within the lab network.
2. Set up Attacker: Use a separate VM or container as the attacker machine.
3. Simulate Exploitation:
  - From the attacker machine, use a tool like websocat or a Python script to connect to ws://<vulnerable_marimo_ip>:<port>/terminal/ws.
  - Once connected, execute basic reconnaissance commands (e.g., whoami, ls -l).
  - Attempt to read a dummy .env file or a file created specifically for testing purposes.
4. Simulate Detection: Monitor network traffic and process logs on the target system using tools like Wireshark, tcpdump, or by enabling verbose logging.
5. Test Mitigation:
  - Apply network segmentation/firewall rules and re-attempt connection.
  - Update Marimo to 0.23.0 and verify that the connection fails or is properly authenticated.
Test Metrics:
- Successful Connection: Boolean (True/False) for establishing a WebSocket connection to /terminal/ws.
- Command Execution: Boolean (True/False) for successfully executing commands via the shell.
- Data Exfiltration: Boolean (True/False) for successfully reading test data files.
- Detection Rate: Percentage of malicious activities (connection attempts, command executions) detected by monitoring tools.
- Mitigation Effectiveness: Time taken to block exploitation after implementing controls (e.g., firewall rule, patch).

9. Geopolitical & Attribution Context

Is there evidence of state-sponsored involvement? No public evidence or reporting suggests state-sponsored involvement. The rapid exploitation and focus on credential harvesting are common tactics employed by various threat actors, including financially motivated groups and opportunistic attackers.
Targeted Sectors: The initial report does not specify targeted sectors. However, any organization using internet-facing Marimo instances is a potential target. Given Marimo's use in data science, sectors dealing with sensitive data (finance, healthcare, research, technology) could be of interest.
Attribution Confidence: Low. The observed activity is consistent with opportunistic exploitation rather than a highly targeted, sophisticated campaign. The attacker was able to craft an exploit based on the advisory, suggesting a skilled but potentially independent actor or a group that quickly adapts to new disclosures.
Campaign Context: No evidence suggests this is part of a known, named APT campaign. The activity appears to be a standalone exploitation event.
If unknown: Attribution currently unconfirmed. No public information links this exploitation to specific nation-state actors or advanced persistent threat groups.

10. References & Sources

NVD/CVE: CVE-2026-39987 (Record likely to be populated upon full public disclosure).
Security Vendor Advisories: Sysdig (as reported by Zerosday News).
PoC Links: Not publicly disclosed at the time of reporting.
Academic Research: Not applicable for this specific vulnerability report.
CISA Alerts: Not applicable at the time of reporting.
Original Report: Zerosday News: https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html
Marimo Advisory: Marimo maintainers' advisory (referenced in the article).