Critical RCE in Marimo: Exploit Deployed in 9 Hours Without Public PoC
The critical CVE-2026-39987 (CVSS 9.3) vulnerability in Marimo versions prior to 0.23.0 allows unauthorized root shell access via WebSocket. Sysdig detected the first attack just 9 hours and 41 minutes after the advisory was published on April 8, 2026. Attackers built an exploit from the technical description alone—without a public PoC—and exfiltrated secrets from a honeypot within three minutes.
The flaw lies in the /terminal/ws endpoint: it lacks the validate_auth() call that’s present in /ws. A simple WebSocket handshake grants a PTY shell with process-level privileges. In default Docker images, this means root access, plus exposure of OpenAI, Anthropic, and Google Gemini API keys stored in .env files.
Technical Details of the Vulnerability
Marimo uses WebSockets for persistent connections: /ws handles reactive UI and notebook cells, while /terminal/ws powers the embedded terminal. The latter endpoint only checks terminal mode flags and platform PTY support—no session token authentication is performed.
Network-level validation occurs automatically. As a result, any remote client can connect and execute commands with server privileges. GHSA-2679-6MX9-H9XC classifies this as CWE-306 (missing authentication for critical functions). The fix in PR #9098 adds the missing validate_auth() check.
Docker deployments amplify the risk: processes run as root, and secrets are stored in .env or ~/.aws/credentials. Compromise leads to full access to LLM billing, models, and datasets.
Attack Timeline and Indicators
- 00:00: Advisory published.
- 09:41: First connection to
/terminal/wsobserved in Sysdig’s honeypot. - <3 mins: File system traversal, reading
.env, SSH keys, cloud configurations. - ~1 hour: Attacker returned to verify persistence.
No miners or backdoors were deployed—indicating a targeted operation by a live attacker. Log WebSocket traffic through proxies (nginx access.log, Caddy stdout). Suspicious activity: external IP connections to /terminal/ws after April 8, 2026.
Common secret discovery paths:
.env~/.ssh/id_rsa,~/.ssh/id_ed25519~/.aws/credentials~/.config/gcloud/~/.bash_history
RCE Pattern in AI Tools
Marimo (20k GitHub stars) is widely used at Stanford, Mozilla AI, OpenAI, and BlackRock. Deployments span Docker, Hugging Face Spaces, and CoreWeave. This marks the third RCE in months:
- Langflow CVE-2026-33017 — exploit within 20 hours.
- Flowise CVE-2025-59528 (CVSS 10.0) — exploited post-patch.
- Marimo CVE-2026-39987.
AI toolchains (notebooks, pipelines) are often treated as development tools—leading to weak segmentation, poor monitoring, and excessive privileges. Reality: production access to models, data, and billing systems.
Protection Measures and Audit Steps
Update immediately:
- Run
marimo --versionto confirm ≥ 0.23.0. - For Docker: rebuild image using a non-root USER.
If your port was exposed after April 8, compromise is likely. Take these actions:
- Rotate secrets: LLM keys, cloud credentials, SSH keys.
- Audit OpenAI/Anthropic/Google billing logs for unknown requests.
- Use
ss -tlnp | grep LISTENto check if Marimo, Jupyter, or Flowise listen on 0.0.0.0. - Launch with
marimo edit --host 127.0.0.1and add reverse proxy protection (nginx auth, Caddy OAuth2). - Monitor advisories via GitHub Security Advisories, osv.dev, and CISA KEV.
Key Takeaways
- Attack speed: 9h 41m from advisory to RCE—standard for well-documented vulnerabilities.
- Default root access: Docker Marimo requires explicit user customization.
- Secrets are the target:
.envfiles with LLM keys are prime targets. - AI-RCE trend: Third consecutive RCE—calls for production-grade security practices.
- Detection: Monitor
/terminal/wslogs in proxies; audit LLM usage patterns.
— Editorial Team
No comments yet.