CyberSecurity News

Critical Marimo Flaw Allows Remote Code Execution Attacks

A critical security vulnerability within the Marimo Python notebook framework is under active exploitation. This flaw enables pre-authentication remote code execution (RCE), allowing attackers to...

David kimber
David kimber
May 19, 2026 3 Min Read
2 0

A critical security vulnerability within the Marimo Python notebook framework is under active exploitation. This flaw enables pre-authentication remote code execution (RCE), allowing attackers to gain full control of exposed systems.

Tracked as CVE-2026-39987, the flaw stems from a missing authentication check in a WebSocket terminal endpoint, enabling attackers to spawn system-level shells without logging in.

Security researchers warn that the vulnerability is already being weaponized to deploy NKAbuse malware, with payloads hosted on Hugging Face Spaces, an increasingly popular platform for sharing AI tools and machine learning applications.

Marimo Security Vulnerability

The issue affects Marimo versions ≤ 0.22.x concerning the /terminal/ws WebSocket endpoint.

Due to improper access control, the endpoint accepts unauthenticated connections. It directly launches a pseudo-terminal (PTY) session using pty.fork().

Unlike other protected endpoints, /terminal/ws lacks authentication enforcement, creating a critical security gap.

The issue stems from missing access control checks in the WebSocket handler:

@router.websocket("/terminal/ws")
async def websocket_endpoint(websocket: WebSocket) -> None:
    await websocket.accept()
    child_pid, fd = pty.fork() # Spawns system shell

Once connected, attackers gain interactive shell access and can execute arbitrary commands on the host system.

Attack flow (Source: Resecurity)
Attack flow (Source: Resecurity)

Marimo is widely used as a modern alternative to Jupyter Notebook, particularly in:

  • AI and machine learning prototyping.
  • Data science experiments.
  • Internal analytics dashboards.
  • Research and engineering workflows.

These environments often run in containers or cloud infrastructure, with access to sensitive resources such as API keys, databases, and internal services.

Because Marimo executes real Python code and interacts directly with the system, exploitation of this flaw leads to immediate and complete compromise.

A basic Python exploit looks like this:

import websocket
ws = websocket.WebSocket()
ws.connect("ws://target:2718/terminal/ws")
ws.send("idn")
print(ws.recv())
ws.close()

According to Resecurity, exploitation is straightforward and requires no authentication.

  • The attacker connects to ws://target:2718/terminal/ws.
  • The server accepts the connection without validating identity.
  • A PTY-backed shell is spawned on the system.
  • The attacker executes commands such as whoami and id, or runs data-extraction scripts.

This effectively turns the vulnerable instance into a remotely accessible terminal.

 Output Retrieval(Source : Resecurity)
 Output Retrieval(Source : Resecurity)

Threat actors are leveraging the flaw to deliver NKAbuse malware, pulling payloads from Hugging Face-hosted repositories.

This highlights a growing trend where legitimate AI platforms are abused to distribute malicious tools, blending into normal developer activity.

Successful exploitation can result in:

  • Full system compromise via pre-auth RCE.
  • Exposure of sensitive data including .env files, API keys, and credentials.
  • Lateral movement across internal networks.
  • Persistence through cron jobs or startup scripts.
  • Container escape or host-level compromise in misconfigured environments.
  • Theft of proprietary AI models and datasets.

Because Marimo instances often sit within trusted environments, a single breach can escalate into a broader infrastructure incident.

The vulnerability arises from a flawed WebSocket security model. While Marimo uses authentication middleware, it does not enforce endpoint-level access control. As a result:

  • /ws endpoint → properly protected.
  • /terminal/ws endpoint → no authentication checks.

This inconsistency creates an authentication bypass, exposing dangerous functionality directly to attackers.

Mitigation and Recommendations

Organizations are urged to take immediate action:

  • Upgrade to Marimo 0.23.0 or later.
  • Avoid exposing instances to public networks.
  • Restrict access using VPNs or authenticated reverse proxies.
  • Run containers as non-root and limit privileges.
  • Rotate secrets and remove sensitive data from notebook environments.
  • Monitor for suspicious WebSocket activity and shell spawning behavior.

Security teams should assume potential compromise and proactively hunt for persistence mechanisms or unusual lateral movement.

This vulnerability underscores a critical lesson: WebSocket endpoints require explicit authentication enforcement.

In high-risk environments like AI and data science platforms, even a single oversight can open the door to full system takeover.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitMalwareSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts