CVE-2026-39987

What is Marimo?

Marimo is an open-source reactive Python notebook platform (19,600+ GitHub stars) designed as a modern replacement for Jupyter. Unlike traditional notebooks, Marimo notebooks are stored as pure Python files and execute reactively — changing one cell automatically re-runs dependent cells. It is widely used by data scientists, ML engineers, and AI researchers for interactive model development, data exploration, and sharing reproducible analyses.

Marimo instances are commonly deployed with network-accessible interfaces — either locally on developer machines, in cloud environments, or as shared team notebooks. This deployment pattern makes the unauthenticated terminal endpoint a high-value attack surface: a single HTTP upgrade request to /terminal/ws yields an interactive root shell on the server.

Overview

The vulnerability carries a CVSS score of 9.8 (Critical) and requires no authentication, no credentials, and no user interaction. An attacker with network access to a Marimo instance can send a single WebSocket upgrade request and receive a fully interactive terminal — even when authentication is enabled on the application. Exploitation was documented less than 10 hours after the vendor advisory was published on April 8, 2026.

Within days of public disclosure, threat actors deployed a previously undocumented variant of the NKAbuse blockchain-based backdoor (Go-based, using NKN for C2) by hosting malware on HuggingFace Spaces and fetching it via the exploited terminal.

Affected Versions

The advisory originally referenced 0.20.4 as the last vulnerable version, but the structured version range in the GHSA advisory was later corrected to < 0.23.0. Users should upgrade to 0.23.0 or later regardless of their current version.

Technical Details

Root Cause: Missing Authentication on /terminal/ws

Marimo exposes a built-in terminal via a WebSocket endpoint at /terminal/ws. Other WebSocket endpoints in the application correctly call validate_auth() before accepting connections. The terminal endpoint, however, only checks two conditions before accepting connections:

1. Whether the server is running in the correct mode (not read-only)
2. Whether the platform supports PTY allocation

Authentication is never checked. Once connected, the client receives a full interactive PTY shell running as the user that launched the Marimo server — typically the developer's own account or, in containerized deployments, root.

CWE-306: Missing Authentication for Critical Function

This maps to CWE-306. The terminal is a critical function (arbitrary OS command execution) that was inadvertently left without any access control. The fix in 0.23.0 adds validate_auth() to the terminal endpoint's connection handler, consistent with how other authenticated endpoints are protected.

Attack Characteristics

Discovery

The vulnerability was reported to the Marimo team and disclosed via GitHub Security Advisory GHSA-2679-6mx9-h9xc on April 8, 2026. The Marimo maintainers released the patch (version 0.23.0) on the same day as the advisory, providing no window between disclosure and a fix being available. Despite this, attackers built a working exploit from the advisory description alone within hours of publication.

Exploitation Context

Exploitation was confirmed within hours of the public advisory. The Sysdig Threat Research Team recorded the first exploitation attempt 9 hours and 41 minutes after the advisory was published, with a complete credential theft operation executed in under 3 minutes. No public PoC existed at the time — the attacker built a working exploit directly from the advisory text.

Campaign Activity (April 11–14, 2026)

Sysdig documented a subsequent wave of attacks over four days:

• 662 exploit events recorded
• 11 unique source IPs across 10 countries
• Techniques observed: reverse shell deployment, credential extraction, DNS exfiltration, lateral movement to co-located PostgreSQL and Redis via leaked credentials

NKAbuse Blockchain Backdoor via HuggingFace

One threat actor hosted a malware binary on HuggingFace Spaces and fetched it via the exploited terminal. The payload was a previously undocumented variant of NKAbuse — a Go-based backdoor that uses the NKN (New Kind of Network) blockchain for command and control, making traditional IP-based C2 blocking ineffective. This appears to be the first documented use of NKAbuse delivered via an AI development toolchain vulnerability.

Internet Exposure

Marimo instances exposed to the internet can be identified via Shodan using the favicon hash query http.favicon.hash:-1864630356. Exposure is concentrated in research, academic, and ML engineering environments. A public proof-of-concept was published on April 13, 2026 (fevar54/marimo_CVE-2026-39987_RCE_PoC), further lowering the barrier to exploitation.

Remediation

1. Upgrade Marimo to version 0.23.0 or later immediately. Run pip install --upgrade marimo. The patch adds authentication validation to the /terminal/ws endpoint.
2. Restrict network access. If you cannot patch immediately, block external access to the Marimo port (default: 2718) via firewall rules. Marimo should not be internet-accessible unless explicitly required.
3. Rotate all exposed secrets. If your Marimo instance was accessible to untrusted networks before patching, treat all secrets present in the environment (API keys, database credentials, SSH keys, cloud credentials) as compromised. Rotate them immediately.
4. Review WebSocket connection logs. Check for unexpected connections to /terminal/ws. Any connection to this path from an unauthorized host indicates exploitation. Look for outbound connections to unknown hosts originating from the Marimo server process shortly after.
5. Check for NKAbuse indicators. Look for unexpected Go binaries downloaded from huggingface.co or similar platforms, unusual outbound traffic to NKN blockchain nodes, and new persistence mechanisms (cron jobs, systemd units) created by the Marimo server process.