Endor Labs — Marimo CVE-2026-39987 Pre-Auth RCE

AI relevance: This vulnerability affects Marimo, a modern Python reactive notebook framework with ~20k GitHub stars used heavily in data science and ML experimentation. AI infrastructure tools often expose WebSocket endpoints that can bypass authentication, creating critical remote code execution risks.

• CVE-2026-39987 — Critical Pre-Authentication Remote Code Execution (CVSS 9.3)
• Root Cause — WebSocket endpoint /terminal/ws lacked authentication validation
• Impact — Attackers gain full PTY shell access with single WebSocket request
• Affected — All Marimo versions prior to 0.23.0
• Exploitation — First exploit observed within 9h41m of advisory publication
• Platform — Marimo Python reactive notebook framework

Why it matters

Marimo is positioned as a modern alternative to Jupyter notebooks, often deployed in containers with network access for collaborative data science and ML work. The unauthenticated terminal WebSocket allows attackers to instantly gain shell access to systems hosting sensitive AI workloads, credentials, and internal data. This vulnerability demonstrates how AI infrastructure tools can prioritize functionality over security, exposing critical attack surfaces.

What to do

• Immediately upgrade Marimo to version 0.23.0 or later
• Audit network exposure of Marimo instances, especially those reachable from untrusted networks
• Assume credential theft if instances were internet-exposed and unpatched
• Review WebSocket authentication patterns across all AI infrastructure components
• Treat notebook servers as high-value targets requiring strong network segmentation

References

• Endor Labs Technical Analysis
• Marimo Security Advisory GHSA-2679-6mx9-h9xc
• The Hacker News Coverage
• OSV Database Entry