Marimo Pre-Authentication RCE (CVE-2026-39987): Critical AI Development Toolchain Compromise
Date: 2026-04-22
Tags: supply-chain, malicious-tool
Executive Summary
CVE-2026-39987 is a critical pre-authentication remote code execution vulnerability (CVSS v4.0: 9.3) in Marimo, a reactive Python notebook widely used in AI development environments. Exploitation was observed within 10 hours of the April 8, 2026 advisory publication. Organizations that ran Marimo on internet-accessible infrastructure before upgrading should treat any deployment as potentially compromised and rotate all credentials that were accessible within the compromised environment, including API keys for LLM providers and cloud service credentials.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Marimo WebSocket Authentication Bypass RCE |
| Attribution | Unknown (Opportunistic Exploitation) (confidence: low) |
| Target | AI development teams, data scientists, and ML engineers using internet-exposed Marimo notebooks |
| Vector | Unauthenticated HTTP POST requests to Marimo terminal WebSocket endpoint |
| Status | active |
| First Observed | 2026-04-08 |
Detailed Findings
The credential exfiltration pattern observed in the Marimo exploitation honeypot—where attackers focused on obtaining LLM provider API keys and cloud credentials within minutes of gaining shell access—represents the initial access phase of precisely the kind of AI supply chain attack scenario designed to address AI development infrastructure compromise leading to broader AI system manipulation or supply chain poisoning. The upgrade closes the authentication gap in the terminal WebSocket endpoint and is the primary remediation for CVE-2026-39987. Version verification should confirm that marimo --version reports 0.23.0 or above; organizations relying on container images should update both the base image and any pinned dependency specifications.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Unauthenticated RCE in exposed Marimo WebSocket endpoint |
| Credential Access | T1110 | Automated harvesting of LLM API keys and cloud provider credentials post-exploitation |
IOCs
Domains
_No specific IOCs published; vulnerability is in application design (missing authentication on /terminal/ws endpoint)_
Full URL Paths
_No specific IOCs published; vulnerability is in application design (missing authentication on /terminal/ws endpoint)_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
marimoDetection Recommendations
Monitor WebSocket connections to /terminal/ws endpoints for unusual payload patterns; implement network-level authentication or IP allowlisting for Marimo deployments; deploy Marimo only on private networks or behind authentication gateways; monitor environment variable access and LLM API key usage for anomalous patterns post-deployment; scan outbound connections from Marimo processes to external IP ranges; review Marimo logs for WebSocket connection attempts with encoded payloads.
References
- [Cloud Security Alliance AI Safety Initiative] Marimo Pre-Auth RCE: AI Development Toolchain Under Attack (2026-04-10) — https://labs.cloudsecurityalliance.org/research/csa-research-note-marimo-rce-cve-2026-39987-ai-toolchain-202/
- [Endor Labs] Root in One Request: Marimo's Critical Pre-Auth RCE (CVE-2026-39987) (2026-04) — https://labs.cloudsecurityalliance.org/research/csa-research-note-marimo-rce-cve-2026-39987-ai-toolchain-202/