[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fztNQNusmiRptICMCBYiryvoHI3XtcSrpLxBVNkJNqRE":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"5257b43f-bb4a-4dce-bd2d-e1033d9137de","Root in One Request: Pre-Auth RCE in Marimo (CVE-2026-39987)","root-in-one-request-pre-auth-rce-in-marimo-cve-2026-39987-9384f7","CVE-2026-39987 is a critical pre-authentication remote code execution flaw in Marimo, a popular open-source reactive Python notebook framework and a modern alternative to Jupyter with roughly 19.6k GitHub stars.","CVE-2026-39987 is a critical pre-authentication remote code execution vulnerability in Marimo, a popular open-source Python notebook framework, affecting all versions before 0.23.0. An unauthenticated attacker can complete a single WebSocket handshake to obtain a full interactive shell as the running user, with a CVSS 9.3 score. The vulnerability was actively exploited in the wild within hours of disclosure and added to CISA's KEV catalog with a federal remediation deadline of May 7, 2026.","CVE-2026-39987: Critical pre-auth RCE in Marimo Python notebook via unauthenticated WebSocket","Critical CVSS 4.0 9.3 Status Actively Exploited CISA KEV Added 2026-04-23 Root in One Request: Pre-Auth RCE in Marimo (CVE-2026-39987) Marimo Python Notebook • CWE-306 Missing Authentication • Published 2026-04-09 Vulnerability Overview CVE-2026-39987 is a critical pre-authentication remote code execution flaw in Marimo, a popular open-source reactive Python notebook framework and a modern alternative to Jupyter with roughly 19.6k GitHub stars. A remote, unauthenticated attacker only has to complete a single WebSocket handshake to an exposed instance to obtain a full interactive shell as the user running the Marimo process. Carrying a CVSS v4.0 score of 9.3, the bug was exploited in the wild within hours of public disclosure and was added to the CISA Known Exploited Vulnerabilities catalog on April 23, 2026, with a federal remediation deadline of May 7, 2026. CVE ID CVE-2026-39987 CVSS Score 9.3 - Critical Weakness CWE-306 Affected Product Marimo Notebook Affected Versions All \u003C 0.23.0 Attack Vector Network \u002F Unauthenticated Exploitation In the Wild Fixed In 0.23.0 Bottom Line If you run Marimo in edit mode anywhere reachable beyond a tightly trusted network, upgrade to 0.23.0 immediately and treat any unpatched, internet-adjacent instance as an active incident risk rather than a theoretical CVE. Why Marimo Is a High-Value Target Marimo is used heavily in data science, ML experimentation, and internal analytics, and is frequently run in containers with network access for collaboration. As Endor Labs noted, the product's emphasis on remote sharing and interactive editing pushes many real deployments toward browser-reachable edit servers, and those hosts commonly sit next to sensitive data: environment files, cloud credentials, databases, and internal APIs. A single unauthenticated shell on one of these boxes often means access to colocated services and production secrets on disk, so the practical blast radius extends well past the notebook process itself. Technical Analysis At its core this is a WebSocket authentication failure. Marimo exposes multiple WebSocket endpoints, and the primary session path runs every connection through validate_auth() so that only authorized clients keep a session. The integrated terminal followed a different code path: according to the official advisory, marimo\u002F_server\u002Fapi\u002Fendpoints\u002Fterminal.py accepted connections after only checking that the server was in edit mode and that the platform supported a PTY, skipping the authentication validation used everywhere else. One WebSocket route was protected; a parallel route that hands out a shell was not. Middleware did not close the gap. Marimo relies on Starlette's AuthenticationMiddleware, which can mark a connection as unauthenticated without rejecting the WebSocket upgrade outright. Real protection has to happen at the endpoint, through validate_auth(), a decorator, or equivalent enforcement. Because the terminal path skipped that step, an unauthenticated client could still reach websocket.accept() and the subsequent pty.fork(), landing a live shell. The full attack chain is brutally short: the attacker opens a WebSocket to \u002Fterminal\u002Fws (or wss:\u002F\u002F behind TLS), the server accepts it with no credentials, allocates a PTY and a shell, and the attacker runs arbitrary commands as the Marimo process - commonly root in default Docker images. There is no phishing, no stolen session, and no supply-chain trick. The terminal route is only wired up when the notebook runs in edit mode, so read-only or static notebook serving does not expose the path in the same way. Active Exploitation in the Wild This is not theoretical. The GitHub advisory was published on April 8, 2026, and exploitation began in under 10 hours. The Sysdig Threat Research Team, running honeypot nodes across multiple cloud providers, observed the first exploitation attempt within 9 hours and 41 minutes of publication, with a complete credential-theft operation executed in under three minutes. Because the advisory itself documented a working proof of concept, attackers needed no exploit development of their own. The follow-on activity has been serious. Researchers have tracked a campaign that uses the flaw to deploy a NKAbuse backdoor variant hosted on Hugging Face Spaces, pairing pre-auth RCE with credential theft, lateral movement into PostgreSQL and Redis, and a blockchain-based (NKN) command-and-control channel that is hard to monitor or block. One operator alone generated 195 events over more than three hours. Indicators worth hunting for include suspicious curl | bash executions referencing vsccode-modetx, the presence of ~\u002F.kagent directories, unusual per-user systemd services, and outbound NKN-related traffic from developer workstations. Exposure is also easy to underestimate. Endor Labs attempted only an unauthenticated upgrade to \u002Fterminal\u002Fws against a sample of 186 internet-reachable Marimo URLs and found 30 of them, about 16 percent, completing the handshake - the exact technical step an attacker takes immediately before issuing the first command. Detection Because the probe is a single WebSocket upgrade, the most reliable signals are behavioral. Monitor for WebSocket connections to terminal paths from unexpected clients, and alert on new interactive shells, unusual process trees, and atypical outbound traffic from notebook infrastructure. A safe, non-destructive check is to attempt an unauthenticated upgrade to \u002Fterminal\u002Fws against your own instances: a patched server (0.23.0 or later) refuses the connection at the authentication layer, while a vulnerable one completes the handshake. Detection Tell Marimo 0.23.0 aligns the terminal WebSocket with the same validation used by the primary session WebSocket, so a patched server rejects the unauthenticated \u002Fterminal\u002Fws upgrade instead of allocating a PTY. Assume in-the-wild abuse and hunt for post-exploitation artifacts even if you never saw the probe in your logs. Affected Versions & Fixes ProductAffectedResolution Marimo \u003C 0.23.0VulnerableUpgrade with pip install --upgrade \"marimo>=0.23.0\" Marimo 0.23.0+Not affectedTerminal WebSocket now enforces authentication One versioning note: the advisory body text originally listed Marimo 0.20.4 and earlier as affected, but the structured version range consumed by tools such as Dependabot, pip-audit, and OSV was corrected to all versions prior to 0.23.0. Treat anything below 0.23.0 as vulnerable. Mitigation & Remediation Priority order, drawn from the vendor advisory and Endor Labs' analysis: Patch immediately. Upgrade to Marimo 0.23.0 or newer. This is the only complete fix, because it adds the missing authentication enforcement to the terminal WebSocket endpoint. Do not expose edit mode to untrusted networks. Place edit-mode instances behind VPNs, private subnets, authenticated proxies, and allowlists rather than the open internet. Avoid binding to 0.0.0.0. Do not bind Marimo to all interfaces unless your network controls are explicit and verified. Harden the container and secrets. Run as a non-root user with read-only roots and minimal capabilities where practical, keep production .env files off shared lab hosts, and rotate any credentials that may have been exposed. Hunt for compromise. Review notebook hosts for the campaign indicators above, watch for unexpected shells and egress, and assume day-one exploitation given the public proof of concept. The Bigger Picture CVE-2026-39987 is a textbook case of asymmetric trust: users believe the server requires authentication, while one WebSocket URL quietly did not. WebSocket upgrades are easy to overlook in code review because they resemble streaming HTTP, but a long-lived, full-duplex channel needs its identity and authorization established explicitly at upgrade time. The broader lesson applies to any developer tooling with terminals, REPLs, or kernels: powerful execution features demand strict gates - strong authentication, explicit enablement, and least privilege - and","https:\u002F\u002Fdarkwebinformer.com\u002Froot-in-one-request-pre-auth-rce-in-marimo-cve-2026-39987\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002Fsize\u002Fw1200\u002F2026\u002F05\u002Fda3648f3-91a3-4a22-9e3b-d6da3818516c.png","2026-05-29T17:37:57+00:00","2026-05-29T18:00:06.093+00:00",9,[18,21,24],{"name":19,"type":20},"Marimo","product",{"name":22,"type":23},"WebSocket","technology",{"name":25,"type":20},"Jupyter","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":26,"icon":28,"name":29,"slug":30},null,"Vulnerabilities","vulnerabilities",[32,37,42],{"category":33},{"id":34,"icon":28,"name":35,"slug":36},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":38},{"id":39,"icon":28,"name":40,"slug":41},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":43},{"id":44,"icon":28,"name":45,"slug":46},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[48],{"type":49,"value":50,"context":51},"cve","CVE-2026-39987","Critical pre-auth RCE in Marimo via unauthenticated WebSocket endpoint"]