Hackers began exploiting a critical vulnerability in the Marimo open source reactive Python notebook just 10 hours after its public disclosure.
The bug allows remote code execution without authentication in Marimo versions 0.20.4 and earlier. It is tracked as CVE-2026-39987 and GitHub has evaluated it with a critical score of 9.3 out of 10.
According to researchers at cloud security firm Sysdig, attackers created an exploit from information in a developer’s tip and quickly began using it in attacks that leaked sensitive information.
Marimo is an open-source Python notebook environment, typically used by data scientists, ML/AI practitioners, researchers, and developers building data applications or dashboards. It is a very popular project, with 20,000 GitHub stars and 1,000 forks.
CVE-2026-39987 is caused by the WebSocket endpoint ‘/terminal/ws’ exposing an interactive terminal without proper authentication checks, allowing connections from any unauthorized client.
This provides direct access to a full interactive shell, running with the same privileges as the Marimo process.
Marimo disclosed the bug on April 8 and yesterday released version 0.23.0 to fix it. The developers noted that the bug affects users who have deployed Marimo as an editable notebook, as well as those who have exposed Marimo on a shared network using –host 0.0.0.0 while in edit mode.
Exploitation in the wild
Within the first 12 hours after the vulnerability information was disclosed, 125 IP addresses began scanning activity, according to Sysdig.
Less than 10 hours after the disclosure, researchers saw the first exploit attempt at the authentication theft task.
An attacker first verified the vulnerability by connecting to the /terminal/ws endpoint and using a short scripted sequence to verify remote command execution, terminating within seconds.
Soon after, they reconnected and began manually detecting again, issuing basic commands like pwd, whoami, and ls to understand the environment, followed by attempts at directory navigation and SSH-related searches.
Next, the attacker focused on harvesting credentials, quickly targeting the .env file and extracting local variables, including cloud credentials and app secrets. They then tried to read additional files in the working directory and continued to investigate the SSH keys.
Source: Sysdig
The entire evidence access phase was completed in less than three minutes, noted a Sysdig report this week.
About an hour later, the attacker returned for a second exploit session using the same exploit sequence.
Researchers say that behind the attack appears to be a “methodical operator” with a hands-on approach, rather than automated scripts, focused on high-value targets such as stealing .env credentials and SSH keys.
The attackers did not try to install persistence, use cryptominers, or backdoors, which suggest a fast, stealthy operation.
Marimo users are recommended to upgrade to version 0.23.0 immediately, monitor WebSocket connections to ‘/terminal/ws,’ restrict external access through the firewall, and rotate all exposed secrets.
If the upgrade is not possible, the mitigation works to block or disable access to the ‘/terminal/ws’ endpoint entirely.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
