A critical security vulnerability in the Marimo Python notebook framework is being actively exploited to achieve pre-authentication remote code execution (RCE), allowing attackers to gain full control of exposed systems.
Tracked as CVE-2026-39987, the flaw stems from a missing authentication check in a WebSocket terminal endpoint, enabling attackers to spawn system-level shells without logging in.
Security researchers warn that the vulnerability is already being weaponized to deploy NKAbuse malware, with payloads hosted on Hugging Face Spaces, an increasingly popular platform for sharing AI tools and machine learning applications.
Marimo Security Vulnerability
The issue affects Marimo versions ≤ 0.22.x concerning the /terminal/ws WebSocket endpoint.
Due to improper access control, the endpoint accepts unauthenticated connections. It directly launches a pseudo-terminal (PTY) session using pty.fork().
Unlike other protected endpoints, /terminal/ws lacks authentication enforcement, creating a critical security gap.
The issue stems from missing access control checks in the WebSocket handler:
@router.websocket(“/terminal/ws”)
async def websocket_endpoint(websocket: WebSocket) -> None:
await websocket.accept()
child_pid, fd = pty.fork() # Spawns system shell
Once connected, attackers gain interactive shell access and can execute arbitrary commands on the host system.
Attack flow (Source: Resecurity)
Marimo is widely used as a modern alternative to Jupyter Notebook, particularly in:
AI and machine learning prototyping.
Data science experiments.
Internal analytics dashboards.
Research and engineering workflows.
These environments often run in containers or cloud infrastructure, with access to sensitive resources such as API keys, databases, and internal services.
Because Marimo executes real Python code and interacts directly with the system, exploitation of this flaw leads to immediate and complete compromise.
A basic Python exploit looks like this:
import websocket
ws = websocket.WebSocket()
ws.connect(“ws://target:2718/terminal/ws”)
ws.send(“id\n”)
print(ws.recv())
ws.close()
According to Resecurity, exploitation is straightforward and requires no authentication.
The attacker connects to ws://target:2718/terminal/ws.
The server accepts the connection without validating identity.
A PTY-backed shell is spawned on the system.
The attacker executes commands such as whoami and id, or runs data-extraction scripts.
This effectively turns the vulnerable instance into a remotely accessible terminal.
Output Retrieval(Source : Resecurity)
Threat actors are leveraging the flaw to deliver NKAbuse malware, pulling payloads from Hugging Face-hosted repositories.
This highlights a growing trend where legitimate AI platforms are abused to distribute malicious tools, blending into normal developer activity.
Successful exploitation can result in:
Full system compromise via pre-auth RCE.
Exposure of sensitive data including .env files, API keys, and credentials.
Lateral movement across internal networks.
Persistence through cron jobs or startup scripts.
Container escape or host-level compromise in misconfigured environments.
Theft of proprietary AI models and datasets.
Because Marimo instances often sit within trusted environments, a single breach can escalate into a broader infrastructure incident.
The vulnerability arises from a flawed WebSocket security model. While Marimo uses authentication middleware, it does not enforce endpoint-level access control. As a result:
/ws endpoint → properly protected.
/terminal/ws endpoint → no authentication checks.
This inconsistency creates an authentication bypass, exposing dangerous functionality directly to attackers.
Mitigation and Recommendations
Organizations are urged to take immediate action:
Upgrade to Marimo 0.23.0 or later.
Avoid exposing instances to public networks.
Restrict access using VPNs or authenticated reverse proxies.
Run containers as non-root and limit privileges.
Rotate secrets and remove sensitive data from notebook environments.
Monitor for suspicious WebSocket activity and shell spawning behavior.
Security teams should assume potential compromise and proactively hunt for persistence mechanisms or unusual lateral movement.
This vulnerability underscores a critical lesson: WebSocket endpoints require explicit authentication enforcement.
In high-risk environments like AI and data science platforms, even a single oversight can open the door to full system takeover.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks appeared first on Cyber Security News.
