CVE-2026-39987: Marimo Pre-Auth RCE — Root in One Request
CVSS 9.3 (CRITICAL) | Marimo < 0.23.0 | Pre-Authentication RCE via WebSocket | Exploited within 10 hours of disclosure
Executive Summary
CVE-2026-39987 represents a worst-case pre-authentication remote code execution vulnerability in Marimo, a popular Python reactive notebook platform used extensively in AI development workflows. An unauthenticated attacker can achieve complete system compromise through a single WebSocket request to /terminal/ws, gaining shell access with Marimo process privileges.
Key Facts:
- First exploitation: Within 10 hours of public disclosure (April 13, 2026)
- CISA KEV status: Added April 23, 2026
- Attack complexity: Trivial (single unauthenticated WebSocket message)
- Impact: Complete system compromise, arbitrary code execution, data exfiltration
Vulnerability Mechanics
Marimo versions prior to 0.23.0 expose a WebSocket terminal endpoint at /terminal/ws without proper authentication controls. The vulnerability chain:
1. Unauthenticated WebSocket Connection
Attacker connects to ws://target:port/terminal/ws with no credentials required
2. Command Injection Payload
Sends JSON: {"type":"exec","command":"<malicious-command>"}
3. Server-Side Execution
Marimo executes the command via Python subprocess module with shell=True
4. Shell Output Returned
Command output returned in JSON response: {"type":"output","data":"...", "exit_code":0}
Root Cause: Missing authentication check on the WebSocket terminal endpoint introduced in Marimo's interactive development features[^1].
Attack Surface
Affected Versions
- Marimo < 0.23.0 (all versions through 0.22.x)
- Specific vulnerable versions observed in the wild: 0.20.4, 0.21.x, 0.22.x
Prerequisites
- Marimo instance exposed to network (default port: 8080)
/terminal/wsendpoint reachable (enabled by default)- No authentication required
- No exploit chain needed — single request exploitation
Attack Vectors
GET /terminal/ws HTTP/1.1
Host: target.com:8080
Upgrade: websocket
Connection: Upgrade
WebSocket Message:
{"type":"exec","command":"whoami"}Real-World Exploitation
According to Sysdig threat intelligence, CVE-2026-39987 was weaponized within 10 hours of the April 13, 2026 disclosure[^2]. Attackers specifically targeted:
- AI development environments running Marimo notebooks
- Cloud-hosted data science platforms
- Research infrastructure with exposed Marimo instances
- Jupyter-alternative deployments in enterprise environments
Observed Attack Patterns:
- Initial reconnaissance via
/api/versionendpoint (detects vulnerable < 0.23.0) - WebSocket connection to
/terminal/ws - Commands:
whoami,uname -a,cat /etc/passwd - Follow-up: Reverse shells, cryptocurrency miners, data exfiltration
Detection & Response
Network Indicators
WebSocket connections to /terminal/ws without authentication
HTTP 101 Switching Protocols on /terminal/ws
JSON payloads containing {"type":"exec","command":...}Process Indicators
Marimo process spawning unexpected child processes:
- bash, sh, nc, curl, wget
- python (for reverse shells)
- crypto mining binariesSigma Rule
title: Marimo Pre-Auth RCE WebSocket Exploitation
detection:
selection:
cs-uri-path: '/terminal/ws'
sc-status: 101
cs-cookie: null
condition: selection
level: criticalFull detection package including YARA rules, Suricata signatures, and Splunk/Elastic queries available in Lyrie's CVE-2026-39987 exploit lab.
Remediation
Immediate Actions
1. Disconnect exposed Marimo instances from public networks
2. Block /terminal/ws endpoint at firewall/WAF
3. Hunt for IOCs in logs (WebSocket upgrades to /terminal/ws, suspicious Marimo child processes)
4. Verify integrity of systems running Marimo (check for unauthorized access, backdoors, persistence mechanisms)
Permanent Mitigation
1. Upgrade to Marimo >= 0.23.0 immediately[^3]
2. Never expose marimo edit or terminal endpoints to public internet
3. Implement authentication and IP whitelisting for administrative interfaces
4. Monitor WebSocket connections to /terminal/ws (should be zero in production)
Shodan/Censys Detection
http.favicon.hash:-1864630356
http.html_hash:<marimo-specific-hash>Lyrie Verdict
Threat Level: CRITICAL
CVE-2026-39987 exemplifies the dangerous intersection of AI infrastructure vulnerabilities and pre-authentication RCE:
✅ No authentication required — trivial exploitation
✅ Single request attack — no complex exploit chain
✅ Immediate code execution — no user interaction
✅ Rapid weaponization — exploited within 10 hours
✅ AI/ML targeting — attacks critical development infrastructure
This vulnerability demonstrates why machine-speed defense is non-negotiable. Human-speed patching cycles (24-72 hours) are obsolete when exploitation begins within hours of disclosure.
Recommended Posture:
- Assume any pre-April 13, 2026 Marimo deployment is compromised unless proven otherwise
- Treat AI development infrastructure with same security rigor as production environments
- Implement automated vulnerability detection and remediation for sub-24-hour response times
Organizations relying on reactive security (SIEM alerts → human investigation → manual patching) will always lose against adversaries operating at machine speed.
References
[^1]: Endor Labs Security Advisory: Root in One Request: Marimo's Critical Pre-Auth RCE
[^2]: The Hacker News: Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure
[^3]: Marimo GitHub Release: Version 0.23.0 Security Patch
Related Research:
- Full Exploit Lab (Mock + PoC + Detection) — Lyrie Threat Intelligence
- CISA KEV Entry — CVE-2026-39987
Word Count: 897
Citations: 3
Last Updated: April 26, 2026
Lyrie Verdict
A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.
Validated sources
- [1]NIST NVD
- [2]MITRE CVE
- [3]Lyrie Research Lab