Marimo, the popular open-source reactive Python notebook (~19.6k GitHub stars), was hit with CVE-2026-39987, a critical pre-authentication remote code execution flaw rated CVSS v4.0 9.3. Sysdig's Threat Research Team observed the first in-the-wild exploitation 9 hours and 41 minutes after the advisory was published, and CISA has since added it to the Known Exploited Vulnerabilities (KEV) catalog. If you run Marimo anywhere reachable, treat this as a P0.
The Vulnerability
The flaw lives in Marimo's terminal WebSocket endpoint, /terminal/ws. While other WebSocket endpoints on the same server (e.g. /ws) correctly call validate_auth(), the terminal endpoint does not. Any attacker who can complete a WebSocket handshake gets a full PTY shell as the user running the Marimo process. No credentials, no tokens, no user interaction required.
Affected versions: Marimo ≤ 0.20.4. Patched in 0.23.0. Official advisory: GHSA-2679-6mx9-h9xc.
Why It's Bad
- Pre-authentication: No login required. An attacker on the network is an attacker on your shell.
- Full PTY: Not a constrained shell or a sandboxed evaluator. A real interactive terminal with the privileges of the Marimo process.
- Exploit speed: Under 10 hours from advisory to active exploitation in the wild. Sysdig observed a complete credential-theft operation execute in under 3 minutes once a target was reached.
- Common deployment pattern: Marimo is often deployed in shared internal environments: data science workspaces, notebook servers, staging. Exactly the kind of "trusted" zone that gets soft-defended.
Indicators & Detection
- WebSocket connections to
/terminal/wsfrom unexpected source IPs. - Marimo process spawning child processes outside its normal kernel-execution path (shells, networking tools, package managers).
- Outbound connections from the Marimo host to attacker-controlled infrastructure. Recent reporting also describes attackers using this CVE to drop blockchain-based backdoors via Hugging Face. Watch for unexpected Hugging Face Hub pulls.
Immediate Actions
- Upgrade to Marimo 0.23.0 or later. There is no workaround that's safer than patching.
- If patching is delayed, take the instance off the network or restrict it to localhost / authenticated VPN.
- Audit shell history, process trees, and outbound connections on every Marimo host since the disclosure window.
- Inventory your AI/data-science tooling. If your security team doesn't have a list of running notebook servers, this is the moment to make one.
The Xploitix Take
This is the Langflow story all over again, an AI/ML productivity tool with a missing auth check, exploited within hours. The pattern is becoming a category: AI tooling moves fast, security maturity lags, and the network exposure surface is enormous because these tools are built to be shared. Every AI/notebook platform you deploy is part of your attack surface. Treat them like production services, not lab toys.
Sources
- Marimo official security advisory: GHSA-2679-6mx9-h9xc
- The Hacker News: Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure
- Endor Labs: Root in One Request, Marimo's Critical Pre-Auth RCE
- BleepingComputer: Critical Marimo pre-auth RCE flaw now under active exploitation
- CSO Online: Critical flaw in Marimo Python notebook exploited within 10 hours
- Cloud Security Alliance: Marimo RCE CVE-2026-39987 research note