By rssfeeds-admin 
Tracked as CVE-2026-39987, the flaw allows unauthenticated attackers to hijack a live system shell, with no credentials required.
Marimo refers to a modern Python notebook framework designed as an alternative to Jupyter Notebook, built for reactive Python execution, collaborative editing, and interactive data workflows.
Critical Marimo Security Vulnerability
It is heavily used in machine learning experimentation, AI/LLM prototyping, analytics dashboards, and research engineering pipelines, often deployed inside Docker containers with access to databases, cloud APIs, and secrets-laden .env files, said Resecurity.
This deployment context makes the framework a high-value target. A single compromised Marimo instance can expose API keys, cloud credentials, proprietary datasets, and internal infrastructure, turning what appears to be a notebook into a full network pivot point.
The root cause of CVE-2026-39987 is a missing authentication check on Marimo’s /terminal/ws WebSocket endpoint. While Marimo’s primary /ws endpoint is properly protected, the terminal endpoint bypasses all access controls entirely.
The vulnerable code accepts the WebSocket connection and immediately calls pty.fork() , spawning a real, interactive OS-level shell without ever verifying the identity of the connecting user.
Marimo’s AuthenticationMiddleware, inherited from the Starlette framework, identifies users but does not block unauthenticated WebSocket connections. Authentication must be enforced explicitly inside each endpoint, and in /terminal/ws, it simply isn’t.
The attack chain is devastatingly simple:
- An attacker connects to
ws://TARGET:2718/terminal/wswith no token or session cookie - The server accepts the connection and spawns a PTY shell
- The attacker sends arbitrary system commands through the WebSocket
- Commands execute with the same privileges as the Marimo process, often root in Docker deployments
Researchers confirmed exploitation using a minimal Python WebSocket client, with command output returned in real time. A Nuclei detection template has also been published at the rxerium GitHub repository for automated scanning.
The vulnerability is already being actively exploited in the wild. According to Resecurity, threat actors are exploiting CVE-2026-39987 to deliver NKAbuse malware hosted on Hugging Face Spaces, an AI/ML platform for sharing models, datasets, and interactive apps.
The abuse of a trusted AI community platform as a malware distribution channel adds a significant layer of operational stealth to these attacks.
All Marimo versions ≤ 0.22.x are affected. Exploiting the flaw enables full data exfiltration, lateral movement across internal infrastructure, persistence via cron jobs or injected execution paths, and container or host takeover in privileged deployments.
Mitigations
- Upgrade immediately to Marimo version 0.23.0 or later, where the authentication gap is patched
- Restrict network exposure; never bind Marimo to
0.0.0.0without a VPN, firewall, or authenticated reverse proxy - Hardened containers run as non-root and drop unnecessary Linux capabilities
- Rotate secrets immediately if exposure is suspected
- Monitor
/terminal/wsfor unexpected WebSocket activity and anomalous shell-spawning processes
Organizations running Marimo in any internet-reachable or shared environment should treat this as an active incident risk requiring immediate patching and proactive threat hunting.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Marimo Security Flaw Enables remote code execution Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.