Summary

CVE-2026-39987 represents a critical pre-authenticated remote code execution vulnerability affecting Marimo, an open-source reactive Python notebook platform widely used for data science, analysis, and interactive coding workflows.

This vulnerability, carrying a CVSS score of 9.3, impacts all Marimo versions prior to 0.23.0 and stems from a complete absence of authentication validation on the /terminal/ws WebSocket endpoint. This authentication bypass allows any unauthenticated remote attacker to obtain a full PTY (pseudo-terminal) shell and execute arbitrary system commands on vulnerable Marimo instances through a single WebSocket connection, without requiring any credentials, user interaction, or prior compromise.

The vulnerability was publicly disclosed on April 8, 2026, through a security advisory that detailed the technical root cause and exploitation methodology. Remarkably, active exploitation in the wild was observed within just 9 hours and 41 minutes of the advisory's publication, demonstrating the rapidly shrinking window between vulnerability disclosure and weaponization.

This extremely brief time-to-exploit window occurred without any public proof-of-concept code being available, indicating that attackers crafted working exploits directly from the advisory's technical description alone.

Security researchers operating honeypot infrastructure detected the first exploitation attempt when an attacker connected to the unauthenticated terminal WebSocket endpoint and conducted manual reconnaissance activities across four distinct sessions spanning approximately 90 minutes.

The attacker's activities focused primarily on credential harvesting and data collection rather than deployment of persistent malware, cryptominers, or backdoors. Specific attacker objectives included:

 
• Harvesting credentials from .env environment files commonly used in Python development workflows
 
• Searching for SSH private keys that could enable lateral movement
 
• Conducting comprehensive file system exploration to identify valuable data repositories

The vulnerability's root cause lies in inconsistent security control implementation across Marimo's WebSocket endpoints. While other endpoints such as /ws properly invoke the validate_auth() authentication function, the /terminal/ws endpoint completely bypasses this validation step.

The impact severity extends significantly beyond simple server compromise. Marimo environments frequently store sensitive API keys for Large Language Model providers (OpenAI, Anthropic, Cohere, etc.) as well as cloud service credentials for AWS, Google Cloud Platform, and Azure infrastructure.

Exfiltration of these credentials could enable:

 
• Lateral movement into cloud infrastructure hosting production workloads
 
• Unauthorized abuse of expensive AI services
 
• Exposure of proprietary datasets or machine learning artifacts
 
• Compromise of interconnected development and production environments

The observed exploitation pattern suggests professional threat actor involvement rather than opportunistic scanning. The attacker demonstrated:

 
• Methodical manual reconnaissance
 
• Focus on high-value credential theft
 
• Operational security discipline (no persistent backdoors)

Organizations running Marimo face immediate risk requiring emergency remediation.

Vulnerability Details

Technical Root Cause and Authentication Bypass Mechanism

CVE-2026-39987 exists due to architectural inconsistency in authentication enforcement across Marimo's WebSocket endpoint implementations.

 
• Most endpoints (e.g., /ws) invoke validate_auth() before granting access
 
• The /terminal/ws endpoint omits authentication entirely

This allows unauthenticated attackers to establish WebSocket connections and gain full terminal access.

Upon connection, attackers receive a full PTY shell with the privileges of the Marimo process user, enabling:

 
• Arbitrary command execution
 
• File system navigation
 
• Sensitive file access
 
• System configuration modification

Exploitation Timeline and Attacker Methodology

 
• Disclosure Date: April 8, 2026
 
• First Exploit Observed: 9 hours 41 minutes later

No public proof-of-concept code was available during initial exploitation.

The attacker:

 
• Conducted 4 sessions over ~90 minutes
 
• Performed systematic file enumeration
 
• Harvested .env credentials
 
• Searched for SSH keys
 
• Explored project directories

Notably, the attacker did NOT:

 
• Deploy malware
 
• Install cryptominers
 
• Establish persistence
 
• Perform destructive actions

This indicates targeted credential harvesting.

Impact Scope and Credential Exposure Risk

The impact extends beyond server compromise due to sensitive data stored in Marimo environments.

At-Risk Data Includes:

 
• LLM API keys (OpenAI, Anthropic, Cohere, Gemini, etc.)
 
• Cloud credentials (AWS, GCP, Azure)
 
• Database connection strings
 
• SSH private keys
 
• Proprietary datasets and ML models

Potential Consequences:

 
• Abuse of AI services (cost exploitation, prompt injection)
 
• Lateral movement into cloud environments
 
• Data exfiltration
 
• Deployment of additional attack infrastructure

Patch Availability and Remediation

Marimo version 0.23.0 fixes the vulnerability by enforcing authentication on /terminal/ws.

If Immediate Upgrade Is Not Possible:

 
• Restrict access via firewall or reverse proxy
 
• Disable terminal functionality
 
• Deploy only in private networks

Recommendations

1. Upgrade Marimo to Version 0.23.0 Immediately

All organizations must upgrade without delay.

If not possible:

 
• Restrict /terminal/ws access
 
• Apply firewall/WAF rules
 
• Disable terminal feature

2. Audit and Rotate All Potentially Exposed Credentials

Audit all accessible credentials:

 
• .env files and environment variables
 
• SSH keys (.ssh directories)
 
• Config files with tokens
 
• Hardcoded secrets in repositories

Action: Rotate all credentials—even without confirmed compromise.

3. Restrict Network Exposure of Notebook Environments

Notebook platforms should never be exposed without protection.

Recommended Controls:

 
• VPN access
 
• Private subnets
 
• Authenticated reverse proxies (SSO, OAuth, MFA)
 
• Avoid binding to 0.0.0.0 unless secured

4. Implement Container Security Hardening

For containerized deployments:

 
• Run as non-root user
 
• Use read-only filesystems
 
• Minimize Linux capabilities
 
• Apply resource limits

5. Deploy WebSocket Monitoring and Anomaly Detection

Monitor for:

 
• Unexpected /terminal/ws connections
 
• Unusual shell process spawning
 
• Abnormal process trees
 
• Suspicious outbound traffic
 
• Bulk access to sensitive files

Key Insight: Any external /terminal/ws access is a high-confidence indicator of compromise.

MITRE ATT&CK TTPs

Initial Access

 
• T1190: Exploit Public-Facing Application

Execution

 
• T1059: Command and Scripting Interpreter
   
  • T1059.004: Unix Shell
   
  • T1059.006: Python

Discovery

 
• T1083: File and Directory Discovery
 
• T1016: System Network Configuration Discovery
 
• T1082: System Information Discovery

Credential Access

 
• T1552: Unsecured Credentials
   
  • T1552.001: Credentials in Files

Collection

 
• T1005: Data from Local System

Lateral Movement

 
• T1021: Remote Services
   
  • T1021.004: SSH

References

 
• https://webflow.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours
 
• https://github.com/advisories/GHSA-2679-6MX9-H9XC
 
• https://labs.cloudsecurityalliance.org/research/csa-research-note-marimo-rce-cve-2026-39987-ai-toolchain-202/
 
• https://github.com/marimo-team/marimo/releases