Critical Marimo RCE Flaw (CVE-2026-39987) Exploited in the Wild Less Than 10 Hours After Disclosure

Executive Summary

On April 8, 2026, a critical remote code execution (RCE) vulnerability in Marimo, an open-source reactive notebook for Python, was publicly disclosed. The vulnerability, tracked as CVE-2026-39987, carries a CVSS score of 9.3 and allows unauthenticated attackers to gain full system access. In a stark demonstration of the speed of modern attackers, security researchers at Sysdig detected the first in-the-wild exploitation of this flaw just 9 hours and 41 minutes after the advisory was published. The attacker successfully developed a working exploit solely from the technical description in the advisory, as no public proof-of-concept was available. This incident serves as a critical reminder for developers and security teams to patch vulnerabilities with extreme urgency.

Vulnerability Details

• CVE ID: CVE-2026-39987
• Affected Product: Marimo (versions up to and including 0.20.4)
• Vulnerability Type: Authentication Bypass leading to Remote Code Execution
• CVSS Score: 9.3 (Critical)
• Attack Vector: Network
• Authentication: Not Required

The vulnerability exists in the /terminal/ws WebSocket endpoint of the Marimo application. This endpoint was intended to provide a terminal interface for authenticated users but lacked any authentication checks. As a result, any unauthenticated attacker could connect to this WebSocket and gain a full interactive PTY (pseudo-terminal) shell on the server, with the privileges of the user running the Marimo notebook.

Exploitation Status

The vulnerability was exploited in the wild in less than 10 hours. The Sysdig honeypot that detected the attack recorded the following sequence:

1. Connection: The attacker connected to the vulnerable /terminal/ws endpoint.
2. Reconnaissance: The attacker manually executed basic commands like ls -la and pwd to understand the file system and their current location.
3. Credential Theft: The attacker located and exfiltrated the contents of a .env file and searched for SSH keys (.ssh directory), completing the entire credential theft operation in under three minutes.

This demonstrates a skilled attacker capable of rapid weaponization of a newly disclosed vulnerability without needing a pre-built exploit script.

Impact Assessment

A successful exploit gives an attacker an interactive shell on the server running Marimo. This allows them to:

• Execute Arbitrary Commands: Run any command with the permissions of the Marimo user.
• Steal Source Code and Data: Access and exfiltrate proprietary code, datasets, and sensitive information stored on the server.
• Steal Credentials: Read configuration files (.env), SSH keys, and cloud provider credentials, enabling further lateral movement into cloud environments or other systems.
• Establish Persistence: Install backdoors, reverse shells, or cryptominers to maintain long-term access to the compromised system.

The compromise of a data science or development environment can be particularly damaging, leading to intellectual property theft and a deep compromise of an organization's infrastructure.

Cyber Observables for Detection

Detection & Response

1. Web Server Log Analysis: Review web server and application logs for any connection attempts to the /terminal/ws URL. Any successful connection from an unauthorized source should be treated as a compromise.
2. Process Monitoring: Use an EDR or process auditing to monitor the Marimo process. A Python web application should not be spawning interactive shells. Alerting on this behavior can detect post-exploitation activity.
3. Network Monitoring: Analyze network traffic for connections on the port Marimo is running on. Specifically, look for WebSocket upgrade requests to the /terminal/ws path.

D3FEND Reference: Detection focuses on D3-WSAA - Web Session Activity Analysis to spot the malicious WebSocket connection and D3-PA - Process Analysis to see the resulting shell.

Mitigation

• Patch Immediately: The primary mitigation is to update to Marimo version 0.23.0 or later, which completely removes the vulnerability. This is an urgent patching requirement.
• Restrict Access: Never expose a Marimo notebook instance directly to the internet. They are development tools and should be run on a local machine or on an internal network behind a firewall and an authenticating proxy.
• Firewall Rules: If a Marimo instance must be accessible, use a firewall to restrict access to the specific port to only known, trusted IP addresses.

D3FEND Reference: The only true fix is D3-SU - Software Update. As a preventative measure, D3-NI - Network Isolation ensures development tools like Marimo are not exposed to attackers in the first place.