Critical Marimo notebook flaw exploited in LLM-agent-driven intrusion

Threat summary

On May 28, 2026, researchers published findings on an AI-agent-driven intrusion observed on May 10, 2026, in which a threat actor exploited CVE-2026-39987, a critical remote code execution (RCE) vulnerability in Marimo, with the post-exploitation phase of this intrusion driven by a large language model (LLM) agent. The agent adapted its commands in real time rather than following a pre-written script with full attack chain, from initial access to database exfiltration, completed in under one hour.

Marimo is an open-source reactive Python notebook designed as an alternative to Jupyter. It stores notebooks as pure Python files and is used by data science teams, machine learning (ML) engineers, and researchers. Marimo instances are commonly configured with database connections, Application Programming Interface (API) keys, cloud credentials, and access to internal datasets.

CVE-2026-39987 is a missing authentication flaw (CWE-306) in Marimo's terminal WebSocket endpoint at /terminal/ws. Any remote user who can reach the server over the internet can connect to the terminal without credentials or any other form of identity verification, gaining direct command-line access to the underlying server. No specialized tooling, user interaction, or prior access is required to exploit this flaw, making it accessible to a wide range of threat actors. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3 out of 10.

On April 8, 2026, the security advisory for CVE-2026-39987 was published on GitHub. The next day, researchers reported having observed the first exploitation attempt, with no public proof-of-concept (PoC) code available at the time, and suggested the adversary built a working exploit directly from the advisory text.

The threat actor exploited CVE-2026-39987 to gain a shell on an internet-exposed Marimo instance. Cloud credentials were harvested from environment files and Amazon Web Services (AWS) credential stores. Those credentials were used to retrieve a Secure Shell (SSH) private key from AWS Secrets Manager.

The key was then used to open eight parallel SSH sessions against a downstream bastion server, from which an internal PostgreSQL database was fully exfiltrated in under two minutes. Traffic was routed through 11 distinct Cloudflare Workers IP addresses, with 12 AWS API calls fanned across those addresses in 22 seconds.

Researcher identified the following indicators that an LLM agent drove the post-exploitation activity:

• The agent improvised a database dump with no prior schema knowledge

• A Chinese-language planning comment appeared in the command stream at sub-second pace across six IP addresses

• Every command was formatted for machine consumption with structured separators and discarded error streams

• The agent consumed its own prior output to feed subsequent commands.

The use of an LLM agent in post-exploitation compressed the time between initial access and data exfiltration from hours to minutes, reducing the window available for detection and response.

Analysis

Mitigating the activity described in this incident requires both closing the initial access vector and reducing the attack surface available to an autonomous agent once it gains a foothold.

Start with an update of a vulnerable Marimo instance to remove the unauthenticated terminal endpoint. Remove all notebook servers from direct internet exposure, and enforce strong authentication in front of every development environment. Eliminate locally stored cloud keys, database passwords, and SSH keys, replacing them with short-lived credentials issued through a centralized secrets manager. Run Marimo and similar tools inside tightly restricted containers with limited network access so a compromised notebook cannot directly reach internal systems or cloud control planes.

At the same time, prepare your detection and response programs for the speed and automation of LLM-based post-exploitation. Deploy monitoring that flags rapid, machine-paced command sequences, bursts of cloud API calls, parallel SSH sessions, and unexpected database export activity. Add rate limits and approval steps for sensitive operations to slow automated attackers and create time for human intervention. These actions give your security team the visibility and control needed to contain highly automated intrusions before they escalate into full data loss events.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up