[CDP-development] [ACTION REQUIRED] TLP:GREEN (Vulnerability Alert Notification) CVE-2026-39987 : Critical Remote Code Execution in Marimo

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Thu Apr 23 13:50:42 PDT 2026 

Good afternoon,

The SOC Services team is reporting on the vulnerability CVE-2026-39987 : Critical Remote Code Execution in Marimo which affects all Marimo instances accessible over the network where the terminal feature is enabled. Because confirmed active exploitation, including deployment of NKAbuse malware and credential theft, we are providing this in-depth information.

History: The vulnerability was publicly disclosed on April 9, 2026, following reports of mass exploitation. The CVSS v4.0 base score is 9.3 (CRITICAL) provided by GitHub. At this time, this vulnerability has not been CVSSv3.X assessed or scored by NIST NVD.

Affected Versions

  *   Marimo < 0.23.0

Fixed Versions

  *   Marimo >= 0.23.0

Marimo is a reactive Python notebook for data science that allows users to create interactive tools and reproducible notebooks.

Vendor Advisory: marimo GitHub Advisory: Pre-Auth RCE in /terminal/ws<https://github.com/marimo-team/marimo/security/advisories/GHSA-m8gj-6756-p63w>

Intelligence: A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. On April 23, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network Exploitability
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Publicly disclosed technical details equivalent to a PoC
Zero Day: No (Exploitation began shortly after N-Day disclosure)

Workarounds: Disable the terminal feature in Marimo configuration if immediate patching is not possible; Restrict network access to Marimo instances via VPN or IP allow-listing.
How it Works: The /terminal/ws endpoint fails to call the validate_auth() function used by other WebSocket endpoints. An attacker can initiate a WebSocket connection to this endpoint without any credentials, which provides a full PTY shell (Pseudo-Terminal) under the context of the user running the marimo process.
Post-Exploit Impact:

  *   Full system compromise and arbitrary command execution (CWE-306: Missing Authentication for Critical Function)
  *   Theft of environment variables, cloud metadata service (IMDS) credentials, and SSH keys (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor)

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Malware Name
NKAbuse
Multi-platform P2P botnet/backdoor using NKN protocol for C2
Sysdig Threat Research


Tenable Plugins: As of the publication of this Vulnerability Notification, Tenable has not provided plugins and plugins are not currently in their development pipeline.

Recommended Actions:

Date Added to KEV Catalog: April 23, 2026
Due Date for Remediation: May 7, 2026

  *   Upgrade Marimo to version 0.23.0 or later immediately
  *   Audit existing Marimo instances for unauthorized WebSocket connections to /terminal/ws
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DCD322.2D7F2B90]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260423/f3b5cd77/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260423/f3b5cd77/attachment-0001.png>

More information about the CDP-development mailing list