Marimo RCE Flaw Exploited in Under 10 Hours of Public Disclosure

Critical Marimo RCE Flaw (CVE-2026-39987) Exploited in the Wild Less Than 10 Hours After Disclosure

CRITICAL
April 9, 2026
April 14, 2026
4m read
VulnerabilityCyberattack

Related Entities(initial)

Products & Tech

MarimoPython

Other

Sysdig

CVE Identifiers

CVE-2026-39987
CRITICAL
CVSS:9.3
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1059.006Execution

Python

T1087.002Discovery

Domain Account

T1552.001Credential Access

Credentials In Files

Full Report(when first published)

Executive Summary

On April 8, 2026, a critical remote code execution (RCE) vulnerability in Marimo, an open-source reactive notebook for Python, was publicly disclosed. The vulnerability, tracked as CVE-2026-39987, carries a CVSS score of 9.3 and allows unauthenticated attackers to gain full system access. In a stark demonstration of the speed of modern attackers, security researchers at Sysdig detected the first in-the-wild exploitation of this flaw just 9 hours and 41 minutes after the advisory was published. The attacker successfully developed a working exploit solely from the technical description in the advisory, as no public proof-of-concept was available. This incident serves as a critical reminder for developers and security teams to patch vulnerabilities with extreme urgency.

Vulnerability Details

  • CVE ID: CVE-2026-39987
  • Affected Product: Marimo (versions up to and including 0.20.4)
  • Vulnerability Type: Authentication Bypass leading to Remote Code Execution
  • CVSS Score: 9.3 (Critical)
  • Attack Vector: Network
  • Authentication: Not Required

The vulnerability exists in the /terminal/ws WebSocket endpoint of the Marimo application. This endpoint was intended to provide a terminal interface for authenticated users but lacked any authentication checks. As a result, any unauthenticated attacker could connect to this WebSocket and gain a full interactive PTY (pseudo-terminal) shell on the server, with the privileges of the user running the Marimo notebook.

Exploitation Status

The vulnerability was exploited in the wild in less than 10 hours. The Sysdig honeypot that detected the attack recorded the following sequence:

  1. Connection: The attacker connected to the vulnerable /terminal/ws endpoint.
  2. Reconnaissance: The attacker manually executed basic commands like ls -la and pwd to understand the file system and their current location.
  3. Credential Theft: The attacker located and exfiltrated the contents of a .env file and searched for SSH keys (.ssh directory), completing the entire credential theft operation in under three minutes.

This demonstrates a skilled attacker capable of rapid weaponization of a newly disclosed vulnerability without needing a pre-built exploit script.

Impact Assessment

A successful exploit gives an attacker an interactive shell on the server running Marimo. This allows them to:

  • Execute Arbitrary Commands: Run any command with the permissions of the Marimo user.
  • Steal Source Code and Data: Access and exfiltrate proprietary code, datasets, and sensitive information stored on the server.
  • Steal Credentials: Read configuration files (.env), SSH keys, and cloud provider credentials, enabling further lateral movement into cloud environments or other systems.
  • Establish Persistence: Install backdoors, reverse shells, or cryptominers to maintain long-term access to the compromised system.

The compromise of a data science or development environment can be particularly damaging, leading to intellectual property theft and a deep compromise of an organization's infrastructure.

Cyber Observables for Detection

Type Value Description
url_pattern /terminal/ws Any connection to this WebSocket endpoint from an untrusted or external IP address is a strong indicator of an exploitation attempt.
process_name python Monitor the Python process running the Marimo notebook for suspicious child processes like /bin/sh, bash, or other unexpected commands.
network_traffic_pattern Unexpected outbound connections from the Marimo server After exploitation, the attacker may try to establish a reverse shell or exfiltrate data.

Detection & Response

  1. Web Server Log Analysis: Review web server and application logs for any connection attempts to the /terminal/ws URL. Any successful connection from an unauthorized source should be treated as a compromise.
  2. Process Monitoring: Use an EDR or process auditing to monitor the Marimo process. A Python web application should not be spawning interactive shells. Alerting on this behavior can detect post-exploitation activity.
  3. Network Monitoring: Analyze network traffic for connections on the port Marimo is running on. Specifically, look for WebSocket upgrade requests to the /terminal/ws path.

D3FEND Reference: Detection focuses on D3-WSAA - Web Session Activity Analysis to spot the malicious WebSocket connection and D3-PA - Process Analysis to see the resulting shell.

Mitigation

  • Patch Immediately: The primary mitigation is to update to Marimo version 0.23.0 or later, which completely removes the vulnerability. This is an urgent patching requirement.
  • Restrict Access: Never expose a Marimo notebook instance directly to the internet. They are development tools and should be run on a local machine or on an internal network behind a firewall and an authenticating proxy.
  • Firewall Rules: If a Marimo instance must be accessible, use a firewall to restrict access to the specific port to only known, trusted IP addresses.

D3FEND Reference: The only true fix is D3-SU - Software Update. As a preventative measure, D3-NI - Network Isolation ensures development tools like Marimo are not exposed to attackers in the first place.

Timeline of Events

1
April 8, 2026
The Marimo RCE vulnerability (CVE-2026-39987) is publicly disclosed.
2
April 8, 2026
Sysdig researchers observe the first in-the-wild exploitation attempt, just 9 hours and 41 minutes after disclosure.
3
April 9, 2026
This article was published

Article Updates

April 14, 2026

New reports confirm continued active exploitation of Marimo RCE (CVE-2026-39987) with updated threat intelligence.

Update Sources:
research.checkpoint.com13th April – Threat Intelligence Report
securityonline.infoCVE-2026-39987: Unauthenticated RCE in Marimo Python Notebooks

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Immediately update Marimo to version 0.23.0 or later to eliminate the vulnerability.

Mapped D3FEND Techniques:

D3-SU

Limit Access to Resource Over Network

M1035enterprise

Do not expose development tools like Marimo directly to the internet. Restrict access to internal networks or trusted IPs only.

Mapped D3FEND Techniques:

D3-NI

Application Isolation and Sandboxing

M1048enterprise

Run development tools in containerized or isolated environments to limit the blast radius of a potential compromise.

Mapped D3FEND Techniques:

D3-DAD3-HBPID3-SCF

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The exploitation of CVE-2026-39987 within 10 hours of disclosure underscores that the only truly effective mitigation is immediate patching. Organizations using Marimo must treat the update to version 0.23.0 as an emergency change. The speed of weaponization means that traditional weekly or monthly patch cycles are no longer adequate for critical, internet-facing vulnerabilities. An automated system for identifying vulnerable software versions and deploying patches is essential. In this specific case, any Marimo instance running a version up to 0.20.4 must be updated without delay. This is a direct and complete countermeasure to the threat.

Network Isolation

D3-NIMaps to MITREM1035
D3FEND

This incident is a textbook case for the importance of Network Isolation for development tools. Marimo notebooks, like Jupyter or other interactive coding environments, should never be directly exposed to the public internet. They are not designed with the same security hardening as production web servers. The best practice is to run these tools on a local machine or within a private, isolated network. Any remote access should be brokered through a secure, authenticated gateway like a VPN or an authenticating proxy (e.g., Google's IAP). By implementing this 'zero-exposure' policy for development tools, organizations can ensure that even if a critical vulnerability like CVE-2026-39987 is disclosed, their instances are not reachable by attackers, rendering the vulnerability non-exploitable from the outside.

Sources & References(when first published)

GHSA-2679-6mx9-h9xc: Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
GitLab (gitlab.com) April 8, 2026
Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure
The Hacker News (thehackernews.com) April 10, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RCEVulnerabilityExploitMarimoPythonCVE-2026-39987Zero-Day

📢 Share This Article

Help others stay informed about cybersecurity threats