CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

A critical security vulnerability in the Marimo Python notebook framework is being actively exploited to achieve pre-authentication remote code execution (RCE), allowing attackers to gain full control of exposed systems. Tracked as CVE-2026-39987, the flaw stems from a missing authentication check in a WebSocket terminal endpoint, enabling attackers to spawn system-level shells without logging in. Security […] The post Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks By Abinaya May 19, 2026 A critical security vulnerability in the Marimo Python notebook framework is being actively exploited to achieve pre-authentication remote code execution (RCE), allowing attackers to gain full control of exposed systems. Tracked as CVE-2026-39987, the flaw stems from a missing authentication check in a WebSocket terminal endpoint, enabling attackers to spawn system-level shells without logging in. Security researchers warn that the vulnerability is already being weaponized to deploy NKAbuse malware, with payloads hosted on Hugging Face Spaces, an increasingly popular platform for sharing AI tools and machine learning applications. Marimo Security Vulnerability The issue affects Marimo versions ≤ 0.22.x concerning the /terminal/ws WebSocket endpoint. Due to improper access control, the endpoint accepts unauthenticated connections. It directly launches a pseudo-terminal (PTY) session using pty.fork(). Unlike other protected endpoints, /terminal/ws lacks authentication enforcement, creating a critical security gap. The issue stems from missing access control checks in the WebSocket handler: @router.websocket("/terminal/ws") async def websocket_endpoint(websocket: WebSocket) -> None:     await websocket.accept()     child_pid, fd = pty.fork() # Spawns system shell Once connected, attackers gain interactive shell access and can execute arbitrary commands on the host system. Attack flow (Source: Resecurity) Marimo is widely used as a modern alternative to Jupyter Notebook, particularly in: AI and machine learning prototyping. Data science experiments. Internal analytics dashboards. Research and engineering workflows. These environments often run in containers or cloud infrastructure, with access to sensitive resources such as API keys, databases, and internal services. Because Marimo executes real Python code and interacts directly with the system, exploitation of this flaw leads to immediate and complete compromise. A basic Python exploit looks like this: import websocket ws = websocket.WebSocket() ws.connect("ws://target:2718/terminal/ws") ws.send("id\n") print(ws.recv()) ws.close() According to Resecurity, exploitation is straightforward and requires no authentication. The attacker connects to ws://target:2718/terminal/ws. The server accepts the connection without validating identity. A PTY-backed shell is spawned on the system. The attacker executes commands such as whoami and id, or runs data-extraction scripts. This effectively turns the vulnerable instance into a remotely accessible terminal.  Output Retrieval(Source : Resecurity) Threat actors are leveraging the flaw to deliver NKAbuse malware, pulling payloads from Hugging Face-hosted repositories. This highlights a growing trend where legitimate AI platforms are abused to distribute malicious tools, blending into normal developer activity. Successful exploitation can result in: Full system compromise via pre-auth RCE. Exposure of sensitive data including .env files, API keys, and credentials. Lateral movement across internal networks. Persistence through cron jobs or startup scripts. Container escape or host-level compromise in misconfigured environments. Theft of proprietary AI models and datasets. Because Marimo instances often sit within trusted environments, a single breach can escalate into a broader infrastructure incident. The vulnerability arises from a flawed WebSocket security model. While Marimo uses authentication middleware, it does not enforce endpoint-level access control. As a result: /ws endpoint → properly protected. /terminal/ws endpoint → no authentication checks. This inconsistency creates an authentication bypass, exposing dangerous functionality directly to attackers. Mitigation and Recommendations Organizations are urged to take immediate action: Upgrade to Marimo 0.23.0 or later. Avoid exposing instances to public networks. Restrict access using VPNs or authenticated reverse proxies. Run containers as non-root and limit privileges. Rotate secrets and remove sensitive data from notebook environments. Monitor for suspicious WebSocket activity and shell spawning behavior. Security teams should assume potential compromise and proactively hunt for persistence mechanisms or unusual lateral movement. This vulnerability underscores a critical lesson: WebSocket endpoints require explicit authentication enforcement. In high-risk environments like AI and data science platforms, even a single oversight can open the door to full system takeover. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922 JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers MistralAI PyPI Package Compromised to Inject Malicious Code – Microsoft Warns SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code Latest News Cyber Security News Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft Cyber Security News Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave AWS CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository Cyber Security News Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data Cyber Security News Mythos Preview Builds PoC Exploits in Automated Vulnerability Research
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗