Under 10 Hours: The marimo Terminal RCE Exploited in a Record-Breaking AI Sprint
Do Son 
A critical flaw in marimo, a popular reactive Python notebook platform, has become the latest case study in how modern threat actors are weaponizing advisories with unprecedented speed.
The vulnerability, tracked as CVE-2026-39987, carries a CVSS score of 9.3. It allows unauthenticated attackers to gain a full interactive shell on a server with just a single connection.
At the heart of the issue is a classic oversight in authentication logic. While most of marimoβs communication channels were locked down, one specific door was left wide open: the terminal WebSocket.
In the affected versions (<= 0.20.4), the /terminal/ws endpoint failed to call validate_auth(). While other parts of the application properly verified user credentials, this specific endpoint only checked if the terminal was supported on the platform before welcoming the connection.
The Attack Chain
- Connection: The attacker connects to
ws://TARGET:2718/terminal/ws. - Bypass: The server accepts the connection immediately because it lacks an authentication decorator.
- Shell Access: The server calls
pty.fork(), handing the attacker a full interactive shell. - Root Privileges: In default Docker deployments, these commands run as root, giving the attacker total control over the container.
The Sysdig Threat Research Team (TRT) observed the first exploitation attempt in the wild just 9 hours and 41 minutes after the advisory was published.
Notably, no public proof-of-concept (PoC) code existed at the time. Threat actors likely used AI to analyze the technical details in the advisory and build a working exploit from scratch. This nearly doubles the speed seen in previous high-profile attacks, such as the Langflow RCE earlier this year.
Honeypot data revealed that this wasn’t just an automated bot. The behavior suggested a human operator working with a clear objective:
- The attacker first ran a scripted PoC to confirm they had code execution.
- They went straight for .env files and SSH keys.
- In one instance, a complete credential theft operationβincluding harvesting AWS access keysβwas executed in under 3 minutes.
If you are running marimo in your environment, you should patch immediately.
- Update: Move to version 0.23.0 or later.
- Disable: If you cannot update, disable the terminal functionality or restrict network access to the
/terminal/wsendpoint. - Audit: Check for sensitive data in
.envfiles and rotate any credentials that may have been exposed.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
