Critical Marimo Pre‑Authentication RCE Flaw Now Under Active Exploitation

Critical RCE flaw CVE‑2026‑39987 in Marimo open‑source Python notebook platform was actively exploited within 10 hours of disclosure, allowing unauthenticated attackers to gain full shell access via the /terminal/ws WebSocket endpoint and exfiltrate .env credentials and SSH keys; users are urged to upgrade to v0.23.0 or block the endpoint immediately.

TechLogHub

April 12, 2026

0 views

CRITICAL MARIMO PRE-AUTH RCE FLAW NOW UNDER ACTIVE EXPLOITATION

1) Overview

A critical vulnerability in the Marimo open-source reactive Python notebook platform has entered active exploitation. The flaw is tracked as CVE-2026-39987 and was rated with a very high severity by GitHub’s assessment (9.3/10).
The issue affects Marimo versions 0.20.4 and earlier, with the vulnerability enabling remote code execution without authentication.
Public disclosure occurred in early April 2026, and a fix was released shortly afterward for the affected series.

2) What Marimo is

Marimo is an open-source Python notebook environment designed for data scientists, machine learning researchers, and developers building data-driven dashboards and apps.
The project has gained notable community attention, featuring thousands of stars and forks on its code hosting platform, reflecting its popularity within the data science and AI tooling space.

3) Technical details of the flaw

The root cause lies in the WebSocket-based terminal endpoint, specifically the /terminal/ws path, which exposed an interactive terminal without proper authentication checks.
An unauthenticated client could establish a connection and obtain a full interactive shell with the same privileges as the Marimo process, effectively compromising the host running Marimo.
The vulnerability specifically impacts environments where Marimo is deployed as an editable notebook or when the service is exposed to a shared network using a host binding of 0.0.0.0 while in edit mode.

4) Public disclosure and the fix

The Marimo project disclosed the flaw and its impact on April 8, 2026.
The developers released a patched version, Marimo 0.23.0, on April 11, 2026, addressing the vulnerability and tightening the authentication around the terminal endpoint.
The disclosure also noted the exposure risk for users who had made Marimo available as an editable notebook or who left the service accessible across a shared network.

5) Exploitation in the wild: a near-real-time timeline

Within the first 12 hours after vulnerability details were published, researchers observed reconnaissance activity across at least 125 distinct IP addresses.
In less than 10 hours after disclosure, the first exploitation attempts were seen in credential-theft-oriented operations.
The attacker sequence began with a quick test to validate remote command execution by connecting to the /terminal/ws endpoint and running a short scripted action before disconnecting.
Shortly after the initial probe, the attacker reconnected and resumed targeted reconnaissance to understand the environment. Basic commands were issued to determine working directories and system context, followed by attempts to locate SSH-related locations.
The operation then shifted to credential harvesting, with immediate focus on the environment’s .env file to extract environment variables, cloud credentials, and other secrets stored in configuration files.
Further probing targeted additional files within the working directory and attempts to locate SSH keys, aiming to access further footholds.
Sysdig’s analysis notes that the entire credential access phase completed in under three minutes, highlighting a tightly tuned sequence designed to extract high-value credentials quickly.
About an hour after the initial exploitation, the attacker returned for a second session using the same exploit path, indicating a deliberate, hands-on operator rather than fully automated tooling.
Observations describe a disciplined operator approach focused on high-value targets (credentials and keys), with no evidence of attempts to install persistence mechanisms, deploy cryptomining, or plant backdoors in this early wave.

6) Attacker profile and behavior

The activity points to a “methodical operator” with a hands-on workflow, rather than purely automated scripting.
The operator prioritized rapid credential access and reconnaissance over rapid deployment of backdoors or persistent implants, suggesting a targeted data-exfiltration objective rather than a broad ransomware or botnet deployment in this stage.

7) Affected users and the patch path

The vulnerability affected those running Marimo in editable notebook configurations or those exposing Marimo to shared networks with open host bindings in edit mode.
A patch exists in Marimo version 0.23.0, which closes the unsecured terminal endpoint and mitigates pre-authentication remote code execution paths.
The incident underscores the importance of promptly applying updates to open-source software components, especially those exposed to untrusted networks or used in editable notebook contexts.

8) Context and broader impact

Marimo’s ecosystem is sizable, with thousands of developers depending on it for data experimentation, prototyping, and dashboard development.
The rapid exploitation window—occurring within hours of disclosure—illustrates the elevated risk posed by pre-authentication flaws in network-exposed tooling used in data science workflows.
As with many high-severity vulnerabilities, the combination of an exposed WebSocket terminal and sensitive configuration data being stored in environment files amplifies the potential impact when attackers gain access.

9) What this means for the community

The incident highlights the need for careful exposure controls when running notebook environments or other interactive data tools on shared networks.
It also emphasizes the value of timely patches and the importance of monitoring for unusual activity on endpoints that expose interactive terminals.
The Marimo case adds to the ongoing discussion about securing open-source projects that provide powerful development environments, especially when those environments interoperate with sensitive credentials and cloud resources.

10) Closing note on timeline validation

The vulnerability was disclosed on April 8, 2026, with the patched release arriving on April 11, 2026.
Exploitation activity was observed shortly after the disclosure, with reconnaissance and credential-stealing sequences beginning within the first 12 hours and subsequent exploitation attempts following within a few hours.
Community observers emphasized the difference between automated tools and a deliberate operator-driven approach in the observed attacks.

Critical Marimo Pre‑Authentication RCE Flaw Now Under Active Exploitation

TechLogHub

April 12, 2026

0 views

CRITICAL MARIMO PRE-AUTH RCE FLAW NOW UNDER ACTIVE EXPLOITATION

1) Overview

A critical vulnerability in the Marimo open-source reactive Python notebook platform has entered active exploitation. The flaw is tracked as CVE-2026-39987 and was rated with a very high severity by GitHub’s assessment (9.3/10).
The issue affects Marimo versions 0.20.4 and earlier, with the vulnerability enabling remote code execution without authentication.
Public disclosure occurred in early April 2026, and a fix was released shortly afterward for the affected series.

2) What Marimo is

Marimo is an open-source Python notebook environment designed for data scientists, machine learning researchers, and developers building data-driven dashboards and apps.
The project has gained notable community attention, featuring thousands of stars and forks on its code hosting platform, reflecting its popularity within the data science and AI tooling space.

3) Technical details of the flaw

The root cause lies in the WebSocket-based terminal endpoint, specifically the /terminal/ws path, which exposed an interactive terminal without proper authentication checks.
An unauthenticated client could establish a connection and obtain a full interactive shell with the same privileges as the Marimo process, effectively compromising the host running Marimo.
The vulnerability specifically impacts environments where Marimo is deployed as an editable notebook or when the service is exposed to a shared network using a host binding of 0.0.0.0 while in edit mode.

4) Public disclosure and the fix

The Marimo project disclosed the flaw and its impact on April 8, 2026.
The developers released a patched version, Marimo 0.23.0, on April 11, 2026, addressing the vulnerability and tightening the authentication around the terminal endpoint.
The disclosure also noted the exposure risk for users who had made Marimo available as an editable notebook or who left the service accessible across a shared network.

5) Exploitation in the wild: a near-real-time timeline

Within the first 12 hours after vulnerability details were published, researchers observed reconnaissance activity across at least 125 distinct IP addresses.
In less than 10 hours after disclosure, the first exploitation attempts were seen in credential-theft-oriented operations.
The attacker sequence began with a quick test to validate remote command execution by connecting to the /terminal/ws endpoint and running a short scripted action before disconnecting.
Shortly after the initial probe, the attacker reconnected and resumed targeted reconnaissance to understand the environment. Basic commands were issued to determine working directories and system context, followed by attempts to locate SSH-related locations.
The operation then shifted to credential harvesting, with immediate focus on the environment’s .env file to extract environment variables, cloud credentials, and other secrets stored in configuration files.
Further probing targeted additional files within the working directory and attempts to locate SSH keys, aiming to access further footholds.
Sysdig’s analysis notes that the entire credential access phase completed in under three minutes, highlighting a tightly tuned sequence designed to extract high-value credentials quickly.
About an hour after the initial exploitation, the attacker returned for a second session using the same exploit path, indicating a deliberate, hands-on operator rather than fully automated tooling.
Observations describe a disciplined operator approach focused on high-value targets (credentials and keys), with no evidence of attempts to install persistence mechanisms, deploy cryptomining, or plant backdoors in this early wave.

6) Attacker profile and behavior

The activity points to a “methodical operator” with a hands-on workflow, rather than purely automated scripting.
The operator prioritized rapid credential access and reconnaissance over rapid deployment of backdoors or persistent implants, suggesting a targeted data-exfiltration objective rather than a broad ransomware or botnet deployment in this stage.

7) Affected users and the patch path

The vulnerability affected those running Marimo in editable notebook configurations or those exposing Marimo to shared networks with open host bindings in edit mode.
A patch exists in Marimo version 0.23.0, which closes the unsecured terminal endpoint and mitigates pre-authentication remote code execution paths.
The incident underscores the importance of promptly applying updates to open-source software components, especially those exposed to untrusted networks or used in editable notebook contexts.

8) Context and broader impact

Marimo’s ecosystem is sizable, with thousands of developers depending on it for data experimentation, prototyping, and dashboard development.
The rapid exploitation window—occurring within hours of disclosure—illustrates the elevated risk posed by pre-authentication flaws in network-exposed tooling used in data science workflows.
As with many high-severity vulnerabilities, the combination of an exposed WebSocket terminal and sensitive configuration data being stored in environment files amplifies the potential impact when attackers gain access.

9) What this means for the community

The incident highlights the need for careful exposure controls when running notebook environments or other interactive data tools on shared networks.
It also emphasizes the value of timely patches and the importance of monitoring for unusual activity on endpoints that expose interactive terminals.
The Marimo case adds to the ongoing discussion about securing open-source projects that provide powerful development environments, especially when those environments interoperate with sensitive credentials and cloud resources.

10) Closing note on timeline validation

The vulnerability was disclosed on April 8, 2026, with the patched release arriving on April 11, 2026.
Exploitation activity was observed shortly after the disclosure, with reconnaissance and credential-stealing sequences beginning within the first 12 hours and subsequent exploitation attempts following within a few hours.
Community observers emphasized the difference between automated tools and a deliberate operator-driven approach in the observed attacks.

Critical Marimo Pre‑Authentication RCE Flaw Now Under Active Exploitation

Stay Updated

Critical Marimo Pre‑Authentication RCE Flaw Now Under Active Exploitation

Stay Updated