CVE-2026-39987 Marimo RCE: LLM Agent Steals Database in 58 Minutes

CVE-2026-39987 — a critical, pre-authenticated remote code execution vulnerability in Marimo, the open-source Python notebook framework popular with data scientists, ML engineers, and AI researchers — was weaponised on May 10, 2026 by a threat actor operating an LLM agent (a large language model used as an autonomous attack orchestrator, capable of planning and executing multi-step commands without human direction) to conduct post-exploitation across four sequential pivots. Starting from an unauthenticated WebSocket shell, the attacker's AI agent harvested cloud credentials, retrieved an SSH private key from AWS Secrets Manager, established access to an internal bastion server, and dumped the full contents of a PostgreSQL database — all in 58 minutes. The incident was documented by Sysdig Threat Research on May 26, 2026 and reported by The Hacker News on May 29, 2026. CVE-2026-39987 carries a CVSS v3.1 score of 9.3, rated Critical, and has been listed on CISA's Known Exploited Vulnerabilities (KEV) catalog since April 23, 2026.

// 01 CVE-2026-39987: Technical Details

Marimo is a modern alternative to Jupyter notebooks, designed for reactive, reproducible Python environments. It includes an optional built-in terminal feature — when a user launches a server with --enable-terminal, Marimo spins up a WebSocket endpoint at /terminal/ws that provides a full PTY (pseudo-terminal — a software layer that behaves identically to a physical serial terminal, granting direct interactive shell access to the underlying operating system).

The vulnerability in CVE-2026-39987 is a missing authentication check on that exact endpoint. Every other sensitive WebSocket path in Marimo — including /ws, the primary notebook communication channel — correctly calls validate_auth() before accepting connections. The /terminal/ws endpoint does not. Per Marimo's security advisory:

> "The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands."

The endpoint checks only whether the server is running in notebook mode and whether the platform supports PTY — then opens the shell unconditionally. An attacker who can reach the Marimo TCP port (default 2718) needs no credentials, no session cookie, and triggers no user interaction. A single WebSocket upgrade request delivers an OS shell running as whatever user launched the Marimo server.

In research, data science, and AI engineering environments, that user typically has cloud provider credentials (AWS, GCP, Azure) in environment variables, .env files, or instance metadata — making Marimo a highly attractive pivot point into cloud infrastructure.

CVE-2026-39987 affects all Marimo releases through version 0.20.4. The fix was released in version 0.23.0 in April 2026, which adds proper validate_auth() enforcement to the terminal WebSocket handler.

// 02 Exploitation Status and Threat Landscape

CVE-2026-39987 was first exploited in the wild within 9 hours and 41 minutes of its initial public disclosure, according to Sysdig's earlier April research. CISA added the flaw to the KEV catalog on April 23, 2026, with a federal remediation deadline of May 7, 2026 — a deadline that has now passed. FCEB (Federal Civilian Executive Branch) agencies that have not yet patched are in violation of Binding Operational Directive 22-01.

No PoC (proof-of-concept — publicly released exploit code) is required to exploit CVE-2026-39987. The attack is trivially reproducible: a single command using websocat or any WebSocket client is sufficient to land a shell on an unpatched instance. The vulnerability requires no prior authentication, no session token, and no user interaction.

The May 10 incident documented by Sysdig is qualitatively different from the initial exploitation wave. It represents one of the first confirmed cases of an LLM agent being used operationally for multi-stage, adaptive post-exploitation in a real intrusion — not a research exercise or red-team simulation. The attacker's AI agent improvised an entire kill chain through infrastructure it had no prior knowledge of, driven in real time by its model's reasoning capabilities.

// 03 Who Is Affected

Any Marimo server running version 0.20.4 or earlier with the terminal feature enabled and accessible over a network is vulnerable to CVE-2026-39987. Highest-risk deployments include:

• AI/ML research teams running Marimo on shared cloud servers or remote VMs accessible via SSH forwarding or public IP
• Data pipelines where Marimo notebooks interact with cloud storage, databases, or secrets managers
• Developer environments on Kubernetes where Marimo is exposed via a LoadBalancer service without an authentication sidecar
• Academic and corporate research clusters where notebooks are shared across teams and hosted on always-on servers

Internet-wide scanning data indicates hundreds of publicly reachable Marimo instances, many in cloud environments with permissive IAM (Identity and Access Management — the cloud permission system that controls which services and users can access which resources) configurations. Environments that combine Marimo exposure with AWS/GCP/Azure credentials represent critical-priority remediation targets.

// 04 Four Signs the Attacker Was an AI

Sysdig's incident report identifies four behavioural markers distinguishing this attack from human-operated intrusions — each of which provides defenders with novel detection surface:

1. Schema Improvisation without Prior Reconnaissance The target database had an opaque hostname with no application identifier on disk, no schema dump pre-staged, and no clues in the filesystem. Despite zero foreknowledge, the agent located and dumped a credentials table within minutes, improvising discovery commands in real time — behaviour requiring either improbable luck or real-time adaptive reasoning.

2. Chinese Language Planning Comment Leaked into Bash The command stream contained the string 看还能做什么 — translating to "See what else we can do" — injected directly into an executed command. This is the model's chain-of-thought (the internal reasoning trace an LLM generates before producing its final output) leaking into tool output. It is a known failure mode of AI agent frameworks that use bash as their primary tool execution environment.

3. Machine-Optimised Command Formatting Throughout Every command was structured for machine parsing: --- delimiters between logical sections, bounded output captures (head -20, wc -l), PAGER=cat set globally to prevent interactive less sessions, and 2>/dev/null stderr suppression throughout. Humans under operational pressure do not format commands this way.

4. Output-Dependent Command Chaining The agent performed ls to confirm file existence before cat, then parsed the output of each step to construct subsequent commands. AWS credentials extracted from an environment file were formatted and passed directly to aws secretsmanager calls without manual intervention. This tight tool-use loop — where each action's output feeds the next — is characteristic of agent frameworks like LangChain, AutoGPT, and Claude tool use.

// 05 What You Should Do Right Now

• Upgrade Marimo immediately to version 0.23.0 or later. The upgrade takes under one minute:

“bash pip install --upgrade marimo marimo --version # confirm >= 0.23.0 “

• Audit all running Marimo instances for network exposure:

“bash # Find any Marimo listeners ss -tlnp | grep ':2718|marimo' # Or check processes ps aux | grep marimo “

• Disable the terminal feature on any instance not strictly requiring it. The --enable-terminal flag must be explicitly passed to activate the vulnerable endpoint — omitting it eliminates the attack surface entirely without upgrading.

• Block public access to Marimo ports. Marimo should never be directly internet-reachable. Place it behind an authenticated reverse proxy (nginx + HTTP basic auth, Caddy with auth middleware, or a cloud load balancer with IAM-signed headers). For remote access, tunnel over SSH rather than opening firewall rules.

• Rotate all credentials on any host where Marimo ran with terminal enabled and any degree of network exposure — AWS IAM keys, GCP service account credentials, SSH private keys, database passwords, and tokens in .env files.

• Review AWS CloudTrail logs for unexpected secretsmanager:GetSecretValue calls, particularly from Cloudflare Workers IP ranges (104.28.0.0/24, 104.28.128.0/17). The known attacker source IP in the May 10 incident was 157.66.54.26 (ASN 141892, Indonesia).

// 06 Background: Understanding the Risk

Marimo exemplifies a category of tools that have become critical infrastructure for AI and data science teams without inheriting the security baseline of traditional enterprise software. Python notebooks are optimised for iteration speed and researcher productivity; hardening features like mandatory authentication, audit logging, and network access controls are frequently absent from defaults or hidden behind flags.

CVE-2026-39987 follows a well-established pattern in developer tooling: an "advanced" optional feature is gated behind a CLI flag, the assumption being it will only be used in trusted local environments. When the same tools are deployed to cloud virtual machines, shared K8s clusters, or collaborative research environments — as they increasingly are at scale — that trust boundary collapses.

The LLM agent dimension raises the threat model further. Autonomous attack frameworks (AutoGPT, Claude tool use, OpenAI function-calling loops) are now broadly available and require no specialised security expertise to operate against discovered vulnerabilities. The barrier to sophisticated post-exploitation has collapsed: an attacker with initial shell access can delegate the entire lateral movement and exfiltration campaign to an AI agent that will improvise, adapt, and pivot faster than any human operator.

This is consistent with findings from Mandiant's M-Trends 2026 report, which documented that time-to-exploit for newly disclosed vulnerabilities has effectively gone negative in some cases — and with the CISA/NCSC advisory AA26-113a, which explicitly warned that adversaries are deploying AI tooling to accelerate post-exploitation activity across compromised infrastructure. CVE-2026-39987 is the first documented case where that warning maps directly to a confirmed incident.

// 07 Conclusion

CVE-2026-39987 is a pre-authenticated RCE in Marimo that requires no exploit code and delivers OS-level access in one WebSocket request. The May 10, 2026 incident documented by Sysdig is a concrete proof point that LLM agents are now active participants in real attack chains — not a future concern. Any Marimo deployment on version 0.20.4 or earlier with the terminal enabled and any network reachability should be treated as potentially compromised. Upgrade to 0.23.0, rotate credentials, and audit cloud API access logs immediately.