cbcvebase.
CVE-2026-39987
published 2026-04-09

CVE-2026-39987: marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-07
Exploited in the wild
EPSS
95.64%
99.9th percentile
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
coreweavemarimo< 0.23.00.23.0
marimo-teammarimo< 0.23.00.23.0
marimo-teammarimo>= 0 < 0.23.00.23.0

Detection & IOCsextracted from sources · hover to see the quote

url/terminal/ws
filenameinstall-linux.sh
filenamekagent
domainvsccode-modetx
path.env
  • Monitor and alert on unauthenticated WebSocket connections to the /terminal/ws endpoint; legitimate Marimo deployments should require authentication via validate_auth() before accepting connections.
  • Detect curl commands downloading scripts from Hugging Face Spaces (huggingface.co) immediately following a /terminal/ws WebSocket connection, as this pattern was used to deliver the NKAbuse dropper.
  • Hunt for systemd unit creation, cron job additions, or macOS LaunchAgent entries spawned from the Marimo process, as the NKAbuse dropper establishes persistence via these mechanisms.
  • Detect rapid sequential AWS Secrets Manager API calls originating from a Marimo host, especially when followed by SSH sessions to a bastion server — indicative of LLM-agent-driven post-exploitation.
  • Flag command streams containing '---' delimiters between commands with stderr discarded and 'less' disabled — a machine-consumption pattern associated with LLM agent post-exploitation activity.
  • Monitor for multiple reverse-shell attempts across different ports originating from a single source IP after /terminal/ws exploitation, as one observed actor attempted 15 reverse-shell techniques across multiple ports.
  • Detect PostgreSQL connections and rapid schema/table enumeration initiated from the Marimo process environment, as attackers pivoted to lateral movement by extracting database credentials from environment variables.
  • Recorded Future created Nuclei templates to detect CVE-2026-39987 (missing authentication on /terminal/ws); these are available to Recorded Future customers for scanning exposed Marimo instances.
  • ·The vulnerability only affects Marimo instances deployed in edit mode with network exposure; users who expose Marimo to a shared network using --host 0.0.0.0 while in edit mode are at risk.
  • ·All Marimo versions prior to 0.23.0 (specifically 0.20.4 and earlier per exploitation reports) are vulnerable; the fix is exclusively in version 0.23.0 and later.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.