Back to Home

RCE in Marimo CVE-2026-39987: exploit in 9 hours

Critical RCE CVE-2026-39987 in Marimo allows pre-auth root access via /terminal/ws. Exploit assembled in 9 hours without PoC, Sysdig recorded attack on honeypot. Recommendations: update, secret rotation, network protection.

Marimo RCE: root via WebSocket without password — exploit in 9 hours
Advertisement 728x90

Critical RCE in Marimo: Exploit Deployed in 9 Hours Without Public PoC

The critical CVE-2026-39987 (CVSS 9.3) vulnerability in Marimo versions prior to 0.23.0 allows unauthorized root shell access via WebSocket. Sysdig detected the first attack just 9 hours and 41 minutes after the advisory was published on April 8, 2026. Attackers built an exploit from the technical description alone—without a public PoC—and exfiltrated secrets from a honeypot within three minutes.

The flaw lies in the /terminal/ws endpoint: it lacks the validate_auth() call that’s present in /ws. A simple WebSocket handshake grants a PTY shell with process-level privileges. In default Docker images, this means root access, plus exposure of OpenAI, Anthropic, and Google Gemini API keys stored in .env files.

Technical Details of the Vulnerability

Marimo uses WebSockets for persistent connections: /ws handles reactive UI and notebook cells, while /terminal/ws powers the embedded terminal. The latter endpoint only checks terminal mode flags and platform PTY support—no session token authentication is performed.

Google AdInline article slot

Network-level validation occurs automatically. As a result, any remote client can connect and execute commands with server privileges. GHSA-2679-6MX9-H9XC classifies this as CWE-306 (missing authentication for critical functions). The fix in PR #9098 adds the missing validate_auth() check.

Docker deployments amplify the risk: processes run as root, and secrets are stored in .env or ~/.aws/credentials. Compromise leads to full access to LLM billing, models, and datasets.

Attack Timeline and Indicators

  • 00:00: Advisory published.
  • 09:41: First connection to /terminal/ws observed in Sysdig’s honeypot.
  • <3 mins: File system traversal, reading .env, SSH keys, cloud configurations.
  • ~1 hour: Attacker returned to verify persistence.

No miners or backdoors were deployed—indicating a targeted operation by a live attacker. Log WebSocket traffic through proxies (nginx access.log, Caddy stdout). Suspicious activity: external IP connections to /terminal/ws after April 8, 2026.

Google AdInline article slot

Common secret discovery paths:

  • .env
  • ~/.ssh/id_rsa, ~/.ssh/id_ed25519
  • ~/.aws/credentials
  • ~/.config/gcloud/
  • ~/.bash_history

RCE Pattern in AI Tools

Marimo (20k GitHub stars) is widely used at Stanford, Mozilla AI, OpenAI, and BlackRock. Deployments span Docker, Hugging Face Spaces, and CoreWeave. This marks the third RCE in months:

  • Langflow CVE-2026-33017 — exploit within 20 hours.
  • Flowise CVE-2025-59528 (CVSS 10.0) — exploited post-patch.
  • Marimo CVE-2026-39987.

AI toolchains (notebooks, pipelines) are often treated as development tools—leading to weak segmentation, poor monitoring, and excessive privileges. Reality: production access to models, data, and billing systems.

Google AdInline article slot

Protection Measures and Audit Steps

Update immediately:

  • Run marimo --version to confirm ≥ 0.23.0.
  • For Docker: rebuild image using a non-root USER.

If your port was exposed after April 8, compromise is likely. Take these actions:

  • Rotate secrets: LLM keys, cloud credentials, SSH keys.
  • Audit OpenAI/Anthropic/Google billing logs for unknown requests.
  • Use ss -tlnp | grep LISTEN to check if Marimo, Jupyter, or Flowise listen on 0.0.0.0.
  • Launch with marimo edit --host 127.0.0.1 and add reverse proxy protection (nginx auth, Caddy OAuth2).
  • Monitor advisories via GitHub Security Advisories, osv.dev, and CISA KEV.

Key Takeaways

  • Attack speed: 9h 41m from advisory to RCE—standard for well-documented vulnerabilities.
  • Default root access: Docker Marimo requires explicit user customization.
  • Secrets are the target: .env files with LLM keys are prime targets.
  • AI-RCE trend: Third consecutive RCE—calls for production-grade security practices.
  • Detection: Monitor /terminal/ws logs in proxies; audit LLM usage patterns.

— Editorial Team

Advertisement 728x90

Read Next