Attacker slides into the WebSocket. No password prompt. Boom—full PTY shell on a Marimo server, poking around files like it’s their playground.
That’s not fiction. Sysdig’s honeypot lit up with the first hit on CVE-2026-39987, Marimo’s pre-auth RCE nightmare, barely 9 hours and 41 minutes after disclosure. Marimo— that slick open-source Python notebook chasing Jupyter’s crown for data science—suddenly exposed.
What the Hell Happened Here?
Marimo maintainers dropped the advisory mid-week, blunt as a hammer.
“The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.”
Unlike saner endpoints like /ws, which hit validate_auth() first, this one? Skips straight to mode checks and platform nods. Connect, and you’re in—arbitrary commands, file reads, the works. CVSS 9.3. All versions up to 0.20.4. Patch in 0.23.0, but who patches that fast?
Architecturally, it’s a classic oversight in reactive UIs. Marimo’s built for interactivity—live notebooks, collaborative vibes—but that terminal feature? Meant for devs tweaking serverside, I bet. Exposed publicly? Rookie move, or rushed dev sprint?
Picture this: data scientists firing up Marimo on exposed ports for quick shares. AWS EC2, DigitalOcean droplets, whatever. No firewall fuss. Suddenly, anyone’s got shell access. And Sysdig watched it unfold live.
The threat actor—solo wolf, probably—hooks the /terminal/ws on their trap. Manual recon: ls, cat .env, hunting SSH keys. Minutes later, credential grab. Hour break, back for more, scoping rivals. No miners, no persistence. Just harvest and ghost.
“The attacker built a working exploit directly from the advisory description,” Sysdig noted. Four connects over 90 minutes. Human cadence, checklist style.
Why Did This Land So Damn Fast?
No PoC. Disclosure hits, boom—exploitation. That’s the new normal, folks. Threat actors scrape advisories like vultures. NVD, GitHub, Exploit-DB—RSS feeds on steroids.
Marimo’s niche? Doesn’t matter. Data notebooks scream sensitive: API keys in .env, proprietary models, creds everywhere. Attackers know devs hoist these on the net for “convenience.” Jupyter had similar slips years back—remember CVE-2021-29040? But Marimo’s fresh, shiny, under-the-radar.
Here’s my take, one you won’t find in Sysdig’s post: this reeks of architectural drift in open-source data tools. Back in Jupyter’s day, notebooks stayed local-ish. Now? Cloud-native, WebSocket-heavy, multi-user dreams. Auth gets bolted on late, terminals as afterthoughts. Marimo chased usability over lockdown—fair for prototypes, fatal for prod.
And the speed? Shrinking windows. Patch Tuesday? Nah. Disclosure-to-exploit now hours for crits. Defenders blink, lose.
But wait—Sysdig stresses: “The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity.”
Spot on. Marimo’s got thousands of installs? Enough for low-hanging fruit.
How’d the Attacker Even Build It Sans PoC?
Advisory’s gold. Describes the skip: no validate_auth(), just running mode and platform. Smart op reverse-engineers Marimo’s WebSocket handshake—probably ws library quirks, JSON payloads for cmds.
Connect. Send shell init. PTY grants interactive bliss. From there, bash one-liners: find .ssh, grep passwords, curl .env. Pauses? Thinking, scripting next moves.
Sysdig’s logs paint it human: exploratory, not scripted blast. Prolly scanning Shodan for Marimo banners—user-agent strings, port 2718 defaults.
Unique angle: this mirrors Log4Shell’s early hits. Noisy vuln, advisory details, ops with WebSocket chops pivot fast. Prediction? Data science stacks—Marimo, Streamlit, Voila—next wave. Why? Goldmine data, weak perimeters.
Exposed Marimo instances? Scan ‘em. Shodan queries like port:2718 marimo already buzzing post-disclosure.
Teams: audit notebooks. Firewall WebSockets. Least priv. But most? Won’t till breach.
Is Marimo’s Flaw a Broader Data Tool Wake-Up?
Absolutely. Jupyter, Zeppelin—history repeats. But Marimo’s push for reactive UIs amps risks. Full terminal? Power user candy, attacker feast.
Critique the spin: maintainers fixed quick—props. But why ship unauth terminals? Usability trumps security again. Open-source velocity’s double-edged: rapid iter, rapid holes.
Bold call: niche DS tools now priority targets. ML ops hoard keys, datasets. Exploit this, sell access on underground markets. Watch breaches spike.
Patch now. 0.23.0. Disable terminals. Airgap if paranoid.
Defenders: monitor advisories real-time. Automate scans. Assume exposure.
🧬 Related Insights
- Read more: 0ktapus Phishing Snags 10,000 Credentials Across 130 Companies—Your MFA Is the Weak Link
- Read more: Trent AI’s $13M Gamble on Taming Wild AI Agents
Frequently Asked Questions
What is CVE-2026-39987 in Marimo?
Pre-auth RCE via /terminal/ws endpoint, skipping auth checks. Full shell access, no creds needed. Affects versions <=0.20.4.
How quickly was Marimo’s RCE exploited?
First hit 9 hours 41 mins post-disclosure on Sysdig honeypot. Manual ops grabbed .env creds, SSH hunts.
Should I patch my Marimo install now?
Yes—upgrade to 0.23.0 immediately. Block /terminal/ws externally. Scan for exposures.
