CVE-2026-39987

Name of the Vulnerable Software and Affected Versions Marimo versions prior to 0.23.0

Description Marimo, a reactive Python notebook, contains a pre-authentication remote code execution issue. The terminal WebSocket endpoint '/terminal/ws' fails to perform authentication validation, unlike the '/ws' endpoint which correctly utilizes the validate auth() function. This allows an unauthenticated remote attacker to establish a connection and obtain a full PTY shell, enabling the execution of arbitrary system commands with the privileges of the notebook owner, often as root in default Docker deployments.

Real-world incidents include an AI agent-driven intrusion that orchestrated a complete attack chain from notebook compromise to internal database exfiltration in under one hour. Other attacks involved the deployment of the NKAbuse malware variant via malicious Hugging Face Spaces to conduct credential harvesting (targeting AWS keys, DATABASE URL, and API tokens) and lateral movement to PostgreSQL and Redis databases. Forensic evidence shows attackers used machine-optimized command structures with specific delimiters and rapid IP rotation to evade detection.

Recommendations Update to version 0.23.0. As a temporary workaround, place all notebook servers behind a VPN or a Zero Trust Network Access (ZTNA) gateway and ensure the server port (default 8080) is not reachable from the public internet. Enable the --token or --password flags upon startup and avoid running in Public mode without an external authentication layer. Utilize Linux namespaces or Docker containers to isolate the process from the host system's network and file system.