Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure - The Hacker News

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Ravie LakshmananApr 10, 2026Vulnerability / Threat Intelligence A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. The issue has been addressed in version 0.23.0. "The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands," Marimo maintainers said in an advisory earlier this week. "Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification." In other words, attackers can obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection without requiring any credentials. Sysdig said it observed the first exploitation attempt targeting the vulnerability within 9 hours and 41 minutes of it being publicly disclosed, with a credential theft operation executed in minutes, despite there being no proof-of-concept (PoC) code available at the time. The unknown threat actor behind the activity is said to have connected to the /terminal/ws WebSocket endpoint on a honeypot system and initiated manual reconnaissance to explore the file system and, minutes later, systematically attempted to harvest data from the .env file, as well as search for SSH keys and read various files. The attacker returned to the honeypot an hour later to access the contents of the .env file and check if other threat actors were active during the time window. No other payloads, like cryptocurrency miners or backdoors, were installed. "The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment," the cloud security company said. "The attacker connected four times over 90 minutes, with pauses between sessions. This is consistent with a human operator working through a list of targets, returning to confirm findings." The speed at which newly disclosed flaws are being weaponized indicates that threat actors are closely keeping an eye on vulnerability disclosures and quickly exploiting them during the time between disclosure and patch adoption.This, in turn, has shrunk the time defenders must respond once a vulnerability is publicly announced. "The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity," Sysdig said. Update In a new report published on April 16, 2026, Sysdig said the critical Marimo flaw is being exploited to deploy a new variant of a multi-platform threat called NKAbuse that abuses a decentralized, peer-to-peer network connectivity protocol known as NKN for command-and-control. The cloud security company said it recorded 662 exploit events targeting the vulnerability between April 11 and 14, 2026. The activity originated from 11 unique source IP addresses across 10 countries. Some of the commonly observed post-exploitation actions included - Environment variable extraction Reverse shell, database enumeration, and lateral movement NKAbuse deployment via Hugging Face Spaces The third operational pattern originated from the IP address ("38.147.173[.]172"), with the attacker using a curl command to drop a shell script hosted on a Hugging Face space named "vsccode-modetx." The shell script dropper is used to launch a binary known as "kagent," an effort to mimic a legitimate Kubernetes artificial intelligence (AI) agent framework of the same name. It also terminates existing "kagent" instances and establishes persistence on both Linux and macOS systems using a systemd user service, a crontab scheduled task, and macOS LaunchAgent. The "kagent" binary is a Go-based ELF binary and a previously undocumented variant of NKAbuse. The Sysdig Threat Research Team told The Hacker News that the updated version of the malware supports additional functionality that goes beyond conducting DDoS attacks. This includes "mechanisms for remote command execution and access, as well as integration with decentralized peer-to-peer (P2P) infrastructure via the NKN blockchain. The malware can also function as a sophisticated proxy, supporting protocols such as WebRTC and STUN." "Developer workstations running notebook platforms are high-value targets: cloud credentials, SSH keys, API tokens, and internal network access," Sysdig said. "An implant on a data scientist's workstation is more valuable than one on a general-purpose server." (The story was updated after publication on April 16, 2026, to include additional insights from Sysdig.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, Credential Theft, cybersecurity, Open Source, Python, remote code execution, Threat Intelligence, Vulnerability, WebSocket Trending News Your MTTD Looks Great. Your Post-Alert Gap Doesn't Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation The Hidden Security Risks of Shadow AI in Enterprises Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Load More ▼ Popular Resources Secure Your AI Systems Across the Full Lifecycle of Risks Get Full Visibility into Vendor and Internal Risk in One Platform Learn How to Block Breached Passwords in Active Directory Before Attacks [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls