CVE-2026-39987

Name of the Vulnerable Software and Affected Versions Marimo versions prior to 0.23.0

Description Marimo contains a pre-authentication remote code execution flaw. The terminal WebSocket endpoint "/terminal/ws" fails to implement authentication validation, unlike other endpoints such as "/ws" which utilize the validate auth() function. This omission allows an unauthenticated remote attacker to establish a WebSocket connection, obtain a full PTY shell, and execute arbitrary system commands with the privileges of the notebook owner, often as root in default Docker deployments.

Real-world incidents have demonstrated the severity of this issue, including an attack where an LLM-driven agent orchestrated a complete attack chain. The agent exploited the terminal RCE to harvest AWS credentials and retrieve an SSH private key from AWS Secrets Manager, subsequently exfiltrating a full PostgreSQL database schema and its contents via eight parallel SSH sessions in under two minutes. Other observed activity involved the deployment of a Go-based backdoor called NKAbuse, which uses the NKN blockchain for command-and-control, and the harvesting of environment variables such as DATABASE URL and API tokens.

Recommendations Update to version 0.23.0. As a temporary mitigation, place all notebook servers behind a VPN or a Zero Trust Network Access (ZTNA) gateway and ensure the server port (default 8080) is not reachable from the public internet. Enable the --token or --password flags upon startup and avoid running the software in Public mode without an external authentication layer. Utilize Linux namespaces or Docker containers to isolate the process from the host system's network and file system.