Threat Advisories:
Operation TrustTrap: APT36 Weaponizes 16,800 Spoofed Domains Patched but Not Cured: FIRESTARTER Backdoor Survives Cisco Firewall Upgrades The Gentlemen Ransomware: A Rapidly Scaling RaaS Threat Tropic Trooper Shifts Tradecraft to Open-Source Offensive Frameworks UNC6692 Social Engineering Campaign Deploying SNOW Malware Suite April 2026 Linux Patch Roundup LOTUSLITE v1.1: Enhanced Evasion Meets Banking-Themed Social Engineering Lotus Wiper: Silent Sabotage Targeting Venezuela’s Energy Sector Brand Hijack in Cybercrime: Who Is Pretending to Be ShinyHunters? Nexcorium: IoT Botnet Campaign Exploiting TBK DVR Devices CVE-2026-34197: Jolokia Exposure Enables RCE in ActiveMQ Inside the PHANTOMPULSE Social Engineering Kill Chain Payouts King Ransomware Blending In Before Breaking Through MCPwn: Critical Nginx UI Bug Opens the Door to Remote Control Microsoft’s April 2026 Patch Tuesday Storm-2755’s Silent Payroll Heist Targeting Canada From Advisory to Attack in Under 10 Hours: Marimo’s Critical RCE Flaw Handala Claims Destructive Wiper Attack on GCC Nation’s Critical Infrastructure Active Exploitation of Critical Adobe Prototype Pollution Flaw Masjesu: Exploit-Driven Botnet with Stealth, Scale, and Staying Power
New Report Critical Threat Research : The Iranian Cyber War Intensifies! Download the Report
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment

From Advisory to Attack in Under 10 Hours: Marimo’s Critical RCE Flaw

Red | Vulnerability Report
Download PDF

Summary

CVE-2026-39987 represents a critical pre-authenticated remote code execution vulnerability affecting Marimo, an open-source reactive Python notebook platform widely used for data science, analysis, and interactive coding workflows.

This vulnerability, carrying a CVSS score of 9.3, impacts all Marimo versions prior to 0.23.0 and stems from a complete absence of authentication validation on the /terminal/ws WebSocket endpoint. This authentication bypass allows any unauthenticated remote attacker to obtain a full PTY (pseudo-terminal) shell and execute arbitrary system commands on vulnerable Marimo instances through a single WebSocket connection, without requiring any credentials, user interaction, or prior compromise.

The vulnerability was publicly disclosed on April 8, 2026, through a security advisory that detailed the technical root cause and exploitation methodology. Remarkably, active exploitation in the wild was observed within just 9 hours and 41 minutes of the advisory’s publication, demonstrating the rapidly shrinking window between vulnerability disclosure and weaponization.

This extremely brief time-to-exploit window occurred without any public proof-of-concept code being available, indicating that attackers crafted working exploits directly from the advisory’s technical description alone.

Security researchers operating honeypot infrastructure detected the first exploitation attempt when an attacker connected to the unauthenticated terminal WebSocket endpoint and conducted manual reconnaissance activities across four distinct sessions spanning approximately 90 minutes.

The attacker’s activities focused primarily on credential harvesting and data collection rather than deployment of persistent malware, cryptominers, or backdoors. Specific attacker objectives included:

  • Harvesting credentials from .env environment files commonly used in Python development workflows
  • Searching for SSH private keys that could enable lateral movement
  • Conducting comprehensive file system exploration to identify valuable data repositories

The vulnerability’s root cause lies in inconsistent security control implementation across Marimo’s WebSocket endpoints. While other endpoints such as /ws properly invoke the validate_auth() authentication function, the /terminal/ws endpoint completely bypasses this validation step.

The impact severity extends significantly beyond simple server compromise. Marimo environments frequently store sensitive API keys for Large Language Model providers (OpenAI, Anthropic, Cohere, etc.) as well as cloud service credentials for AWS, Google Cloud Platform, and Azure infrastructure.

Exfiltration of these credentials could enable:

  • Lateral movement into cloud infrastructure hosting production workloads
  • Unauthorized abuse of expensive AI services
  • Exposure of proprietary datasets or machine learning artifacts
  • Compromise of interconnected development and production environments

The observed exploitation pattern suggests professional threat actor involvement rather than opportunistic scanning. The attacker demonstrated:

  • Methodical manual reconnaissance
  • Focus on high-value credential theft
  • Operational security discipline (no persistent backdoors)

Organizations running Marimo face immediate risk requiring emergency remediation.

Vulnerability Details

Technical Root Cause and Authentication Bypass Mechanism

CVE-2026-39987 exists due to architectural inconsistency in authentication enforcement across Marimo’s WebSocket endpoint implementations.

  • Most endpoints (e.g., /ws) invoke validate_auth() before granting access
  • The /terminal/ws endpoint omits authentication entirely

This allows unauthenticated attackers to establish WebSocket connections and gain full terminal access.

Upon connection, attackers receive a full PTY shell with the privileges of the Marimo process user, enabling:

  • Arbitrary command execution
  • File system navigation
  • Sensitive file access
  • System configuration modification

Exploitation Timeline and Attacker Methodology

  • Disclosure Date: April 8, 2026
  • First Exploit Observed: 9 hours 41 minutes later

No public proof-of-concept code was available during initial exploitation.

The attacker:

  • Conducted 4 sessions over ~90 minutes
  • Performed systematic file enumeration
  • Harvested .env credentials
  • Searched for SSH keys
  • Explored project directories

Notably, the attacker did NOT:

  • Deploy malware
  • Install cryptominers
  • Establish persistence
  • Perform destructive actions

This indicates targeted credential harvesting.

Impact Scope and Credential Exposure Risk

The impact extends beyond server compromise due to sensitive data stored in Marimo environments.

At-Risk Data Includes:

  • LLM API keys (OpenAI, Anthropic, Cohere, Gemini, etc.)
  • Cloud credentials (AWS, GCP, Azure)
  • Database connection strings
  • SSH private keys
  • Proprietary datasets and ML models

Potential Consequences:

  • Abuse of AI services (cost exploitation, prompt injection)
  • Lateral movement into cloud environments
  • Data exfiltration
  • Deployment of additional attack infrastructure

Patch Availability and Remediation

Marimo version 0.23.0 fixes the vulnerability by enforcing authentication on /terminal/ws.

If Immediate Upgrade Is Not Possible:

  • Restrict access via firewall or reverse proxy
  • Disable terminal functionality
  • Deploy only in private networks

Recommendations

1. Upgrade Marimo to Version 0.23.0 Immediately

All organizations must upgrade without delay.

If not possible:

  • Restrict /terminal/ws access
  • Apply firewall/WAF rules
  • Disable terminal feature

2. Audit and Rotate All Potentially Exposed Credentials

Audit all accessible credentials:

  • .env files and environment variables
  • SSH keys (.ssh directories)
  • Config files with tokens
  • Hardcoded secrets in repositories

Action: Rotate all credentials—even without confirmed compromise.

3. Restrict Network Exposure of Notebook Environments

Notebook platforms should never be exposed without protection.

Recommended Controls:

  • VPN access
  • Private subnets
  • Authenticated reverse proxies (SSO, OAuth, MFA)
  • Avoid binding to 0.0.0.0 unless secured

4. Implement Container Security Hardening

For containerized deployments:

  • Run as non-root user
  • Use read-only filesystems
  • Minimize Linux capabilities
  • Apply resource limits

5. Deploy WebSocket Monitoring and Anomaly Detection

Monitor for:

  • Unexpected /terminal/ws connections
  • Unusual shell process spawning
  • Abnormal process trees
  • Suspicious outbound traffic
  • Bulk access to sensitive files

Key Insight: Any external /terminal/ws access is a high-confidence indicator of compromise.

MITRE ATT&CK TTPs

Initial Access

  • T1190: Exploit Public-Facing Application

Execution

  • T1059: Command and Scripting Interpreter
    • T1059.004: Unix Shell
    • T1059.006: Python

Discovery

  • T1083: File and Directory Discovery
  • T1016: System Network Configuration Discovery
  • T1082: System Information Discovery

Credential Access

  • T1552: Unsecured Credentials
    • T1552.001: Credentials in Files

Collection

  • T1005: Data from Local System

Lateral Movement

  • T1021: Remote Services
    • T1021.004: SSH

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox