
















On April 8, 2026, a critical vulnerability was disclosed in marimo, an open-source reactive Python notebook platform. Tracked as CVE-2026-39987, it is a pre-authentication remote code execution (RCE) vulnerability in the terminal WebSocket endpoint that allows attackers to obtain a full interactive shell on any exposed marimo instance through a single WebSocket connection – no credentials required.
Within 9 hours and 41 minutes of the vulnerability advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempt in the wild, and a complete credential theft operation was executed in under 3 minutes. No public proof-of-concept (PoC) code existed at the time. The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment. This also recently happened with a Langflow flaw (CVE-2026-33017), where, with no public exploit, the vulnerability was exploited within 20 hours. This marimo vulnerability exploitation cuts that time in less than half.
What makes this case particularly notable is the target: Marimo is not a household name in enterprise software. With approximately 20,000 GitHub stars, it is a fraction of the size of platforms like Langflow (145,000+ stars) or n8n (75,000+ stars) that have historically attracted mass scanning campaigns. The speed of exploitation seen by the Sysdig TRT suggests that threat actors are monitoring advisory feeds broadly, not just for high-profile targets, and are capable of weaponizing vulnerabilities in niche software within hours of disclosure. It also implies that threat actors are using AI to analyze vulnerability advisory descriptions, build working exploits, and accelerate their operations.
Within hours of the advisory’s publication, the Sysdig TRT deployed honeypot nodes running vulnerable marimo instances across multiple cloud providers. The activity TRT captured, detailed below, provides a clear picture of how a single attacker moved from initial access to credential theft in a matter of minutes.
|
Time (UTC) |
Event |
|
Apr 8, 21:50 |
Advisory GHSA-2679-6mx9-h9xc published on GitHub |
|
Apr 9, 07:31 |
First exploitation attempt observed (from 49.207.56.74) |
|
Apr 9, 07:44 |
Attacker exfiltrates .env file containing credentials |
|
Apr 9, 08:57 |
Attacker returns for a second exploitation session |
The gap between advisory publication and first exploitation was 9 hours and 41 minutes. No public PoC code existed on GitHub or any major exploit repository at the time of the initial attack. The advisory itself contained enough detail for an attacker to construct a working exploit: the vulnerable endpoint path (/terminal/ws) and the fact that it lacked authentication, unlike the other WebSocket endpoints in the application.
Marimo is an open-source reactive Python notebook designed as a modern alternative to Jupyter. It stores notebooks as pure Python files, supports reactive execution, and can be deployed as interactive web applications. While smaller than mainstream notebook platforms, marimo has an active community and is used in data science and research workflows.
CVE-2026-39987 (CVSS v4.0: 9.3, Critical) affects the /terminal/ws WebSocket endpoint in marimo versions 0.20.4 and earlier. The vulnerability is straightforward. This endpoint provides an interactive PTY (pseudo-terminal) shell but completely lacks authentication validation. Other WebSocket endpoints in the application, such as /ws, correctly call validate_auth() before accepting connections. The terminal endpoint skips this check entirely, accepting connections from any unauthenticated user and granting a full interactive shell running with the privileges of the marimo process.
The fix was released in version 0.23.0 via PR #9098: https://github.com/marimo-team/marimo/pull/9098.
Several characteristics made this vulnerability attractive despite marimo's relatively small user base:
/terminal/ws has a shell. There is no payload to craft, no injection to format, no encoding to get right. The attacker can walk right in.Over the first 12 hours following advisory publication, we recorded exploit activity from one source IP targeting our honeypot fleet. An additional 125 unique IPs conducted reconnaissance (port scanning, HTTP probing), but only one progressed to actual exploitation of the WebSocket terminal vulnerability.
The attacker connected to the /terminal/ws WebSocket endpoint on the honeypot GCP node in europe-west1-b and immediately ran a scripted validation sequence:
echo '---POC-START---'
id
echo '---POC-END---'The marker strings (---POC-START--- and ---POC-END---) and the use of id as the test command indicate this is a structured PoC script, not manual typing. The attacker is confirming code execution before investing time in manual exploration. The session lasted 9 seconds before the attacker disconnected.
Two minutes later, the attacker reconnected and began manual exploration:
pwd → /app/marimo
whoami → marimo
ls → marimo logs data .env docker-compose.yml celerybeat-scheduleThe attacker attempted to navigate the filesystem using cd ../, cd logs, and cd ~/.ssh, and ran ls after each attempt to check their position. They also tried ipaddr (likely meaning ip addr) to enumerate network interfaces. These reconnaissance processes appeared to be manual, not AI-driven, based on the timeline and steps taken.
After a 6-minute pause, the attacker reconnected for a focused credential harvesting session. They immediately listed the directory and then targeted the .env file:
ls → marimo logs data .env docker-compose.yml celerybeat-schedule
cat .env → HOME=/app/marimo
PATH=/usr/local/bin:/usr/bin:/bin
HOSTNAME=prod-app-e29e
AWS_DEFAULT_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIA01FB...The honeypot returned realistic fake credentials in the .env response, including AWS access keys and application secrets. In a real deployment, this is exactly the data an attacker would need to pivot from the compromised notebook instance to cloud accounts, databases, and third-party APIs.
The attacker then methodically attempted to read every file in the directory:
cat data
cat docker-compose.yml
cat celerybeat-schedule
cat marimo
cat logsThey also searched for SSH keys:
ls ~
ls ~/
ls ~/.ssh
cd ~/ssh
cd ~/.sshThe session ended with the attacker running exit at 07:45 UTC. This is a complete credential theft operation executed in under 3 minutes.
Over an hour later, the attacker returned and re-ran their PoC validation script (echo markers + id), then reconnected and re-read the .env file. They also ran history, likely checking whether other attackers had been active on the same instance. The session ended at 09:04 UTC.
The exploitation patterns reveal a methodical operator, not an automated scanner:
.env credentials and SSH keys. They did not attempt to install persistence, deploy cryptominers, or download additional tools.The 9-hour-41-minute window between advisory publication and first exploitation continues a trend that has been accelerating over the past several years. The Zero Day Clock project, which tracks data across 83,000+ CVEs, shows the median time-to-exploit has collapsed from 771 days in 2018 to just hours in recent years. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure. The Sysdig TRT’s observation of CVE-2026-39987 fits squarely in this trend.
What distinguishes this case is the target. Marimo is not Langflow, not Jenkins, and not GitLab. It has 20,000 GitHub stars, not 145,000. It does not currently appear in CISA's Known Exploited Vulnerabilities (KEV) catalog. It is not a common target for mass scanning campaigns. Yet, within 10 hours of a critical advisory being published, an attacker built a working exploit and was actively harvesting credentials from exposed instances much faster than vulnerable organizations could manually patch.
This has implications for how organizations assess their exposure:
Source IPs
|
IP |
Location |
Activity |
|
49.207.56.74 |
Activity IN (India) |
WebSocket terminal exploitation, credential theft |
Note: The source IP may be a proxy or VPN endpoint rather than the operator's true origin.
/terminal/ws endpoint or disable the terminal feature entirely. .env files, and secrets on any marimo instance that has been publicly accessible. Rotate AWS credentials, API keys, database passwords, and SSH keys as a precaution./terminal/ws from unexpected sources. Legitimate use of the terminal feature should be limited to authenticated users on internal networks.CVE-2026-39987 demonstrates that the collapse of exploitation timelines is not limited to the most popular software. A critical vulnerability in a Python notebook with 20,000 GitHub stars was weaponized in under 10 hours, with no public PoC and no CVE number assigned, and a complete credential theft operation was executed in under 3 minutes. The attacker needed nothing more than the advisory text and a WebSocket client.
For defenders, the takeaway is that advisory monitoring must extend beyond CVE databases and high-profile projects. Any internet-facing application with a published critical vulnerability is a potential target within hours of disclosure, regardless of its install base.
Runtime detection, network segmentation, and rapid credential rotation remain the most effective controls when the patch window is measured in hours rather than days.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。