PT-2026-31594 · Marimo · Marimo
Published
2026-04-08
·
Updated
2026-07-09
·
CVE-2026-39987
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Marimo versions prior to 0.23.0
Description
Marimo contains a pre-authentication remote code execution (RCE) flaw. The terminal WebSocket endpoint
/terminal/ws fails to perform authentication validation, unlike other endpoints such as /ws which correctly utilize the validate auth() function. This omission allows an unauthenticated remote attacker to establish a connection and obtain a full PTY shell, enabling the execution of arbitrary system commands with the privileges of the notebook owner, often as root in default Docker deployments.Real-world incidents have demonstrated the severity of this issue, including the first publicly documented case of an LLM agent autonomously conducting a full post-exploitation chain. In one instance, an attacker used the flaw to compromise a notebook, harvest cloud credentials, access AWS Secrets Manager for SSH keys, and exfiltrate an entire PostgreSQL database in under an hour. Other observed attacks involved the deployment of the NKAbuse Go backdoor and the use of Docker socket mounts to achieve host root access and Kubernetes credential replay.
Recommendations
Update Marimo to version 0.23.0 or later.
As a temporary workaround, restrict network access to the
/terminal/ws endpoint or disable the terminal feature entirely.
Place Marimo notebook servers behind a VPN or Zero Trust Network Access (ZTNA) gateway to block public WAN access.
Enable the --token or --password flags upon startup to ensure mandatory authentication.Exploit
Fix
LPE
RCE
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Marimo