Critical Marimo Python Notebook Flaw Exploited in Under 10 Hours After Public Disclosure

Introduction

A critical remote code execution vulnerability in Marimo, an open-source Python notebook used for data science and analysis, was weaponized and exploited in the wild just nine hours after its advisory was published. Tracked as CVE-2026-39987 with a CVSS score of 9.3, the flaw gives unauthenticated attackers a full interactive shell on exposed instances.

What Happened

On April 8, Marimo's maintainers published a security advisory for CVE-2026-39987 — an unauthenticated RCE flaw caused by a missing authentication check on the terminal WebSocket endpoint (/terminal/ws). While other WebSocket endpoints in Marimo correctly call validate_auth(), this one only checks the running mode and platform support before accepting connections, completely skipping authentication.

No proof-of-concept exploit was published alongside the advisory, but that didn't slow attackers down. According to Sysdig, the first exploitation was observed 9 hours and 41 minutes after disclosure. The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, performed reconnaissance within two minutes, and returned six minutes later to exfiltrate credential files and SSH keys. The entire theft operation took under three minutes. Sysdig also observed 125 additional IP addresses performing reconnaissance — scanning ports and probing HTTP endpoints — suggesting broader interest in the vulnerability.

Why It Matters

The time window between vulnerability disclosure and active exploitation has shrunk dramatically. Nine hours is not enough time for most organizations to even read an advisory, let alone patch. Marimo has around 20,000 GitHub stars and is used by data scientists, ML engineers, and analytics teams — many of whom run notebooks on cloud instances with relaxed security controls. An unauthenticated RCE on a data science notebook gives attackers access to datasets, model weights, cloud credentials, and any secrets stored on the host. The speed of exploitation also reinforces that publishing detailed vulnerability descriptions without patches already deployed creates a race that defenders are losing.

Who Is Affected

  • Any organization or individual running Marimo versions 0.20.4 and earlier
  • Data science and ML teams running Marimo instances exposed to the network or internet
  • Cloud-hosted notebook environments without authentication layers in front of the application
  • Developers using Marimo locally who have forwarded ports or run it on 0.0.0.0

How to Protect Yourself

1. Update Marimo to version 0.23.0 or newer immediately

pip install --upgrade marimo
marimo --version
# Confirm version >= 0.23.0

2. Check if any Marimo instances are exposed to the network

# Look for Marimo processes and what address/port they're binding to
ps aux | grep marimo
ss -tlnp | grep -E ':(2718|8080)'

If Marimo is bound to 0.0.0.0 instead of 127.0.0.1, it is accepting connections from anywhere on the network.

3. Put authentication in front of any exposed notebook

Never expose a notebook server directly to the internet. Use a reverse proxy with authentication:

location /marimo/ {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://127.0.0.1:2718/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

4. Monitor for signs of exploitation

Check logs for unexpected WebSocket connections to the terminal endpoint:

# Look for /terminal/ws connections in access logs
grep "/terminal/ws" /var/log/nginx/access.log

# Check for recently accessed credential files
find ~ -name "*.pem" -o -name "id_rsa" -o -name "id_ed25519" -o -name ".env" | xargs ls -lt 2>/dev/null | head -10

5. Rotate credentials if you were running an exposed instance

If you had an unpatched Marimo instance accessible from the network, assume compromise and rotate SSH keys, cloud tokens, database passwords, and API keys stored on that host.

Source

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — The Hacker News