Critical Marimo pre-auth RCE flaw now under active exploitation
Source: Bleeping Computer
Overview
Hackers started exploiting a critical vulnerability in the Marimo open‑source reactive Python notebook platform just 10 hours after its public disclosure.
The flaw allows remote code execution without authentication in Marimo versions 0.20.4 and earlier. It is tracked as CVE‑2026‑39987 and GitHub assessed it with a critical score of 9.3 / 10.
According to researchers at cloud‑security company Sysdig, attackers created an exploit from the information in the developer’s advisory and immediately started using it in attacks that exfiltrated sensitive information.
Marimo is an open‑source Python notebook environment, typically used by data scientists, ML/AI practitioners, researchers, and developers building data apps or dashboards. It is a fairly popular project, with 20 000 GitHub stars and 1 000 forks.
CVE‑2026‑39987 is caused by the WebSocket endpoint /terminal/ws exposing an interactive terminal without proper authentication checks, allowing connections from any unauthenticated client. This gives direct access to a full interactive shell, running with the same privileges as the Marimo process.
Marimo disclosed the flaw on April 8 and released version 0.23.0 to address it. The developers noted that the flaw affects users who deployed Marimo as an editable notebook, and those who expose Marimo to a shared network using --host 0.0.0.0 while in edit mode.
Exploitation in the Wild
Within the first 12 hours after the vulnerability details were disclosed, 125 IP addresses began reconnaissance activity, according to Sysdig.
Less than 10 hours after disclosure, the researchers observed the first exploitation attempt in a credential‑theft operation. The attacker first validated the vulnerability by connecting to the /terminal/ws endpoint and executing a short scripted sequence to confirm remote command execution, disconnecting within seconds.
Shortly after, they reconnected and began manual reconnaissance, issuing basic commands such as pwd, whoami, and ls to understand the environment, followed by directory navigation attempts and checks for SSH‑related locations.
Next, the attacker focused on credential harvesting, immediately targeting the .env file and extracting environment variables, including cloud credentials and application secrets. They then attempted to read additional files in the working directory and continued probing for SSH keys.
Stealing credentials
Source: Sysdig
The entire credential‑access phase was completed in less than three minutes, notes a Sysdig report this week.
Roughly an hour later, the attacker returned for a second exploitation session using the same exploit sequence.
The researchers say that the attack appears to be carried out by a “methodical operator” with a hands‑on approach, rather than automated scripts, focusing on high‑value objectives such as stealing .env credentials and SSH keys. The attackers did not attempt to install persistence, deploy cryptominers, or backdoors, suggesting a quick, stealthy operation.
Mitigation Recommendations
- Upgrade to Marimo version 0.23.0 (or later) immediately.
- Monitor WebSocket connections to
/terminal/ws. - Restrict external access to the notebook service via a firewall or network ACLs.
- Rotate all exposed secrets, including environment variables, API keys, and SSH keys.
- If upgrading is not possible, block or disable access to the
/terminal/wsendpoint entirely.