A critical pre-authentication remote code execution (RCE) vulnerability in Marimo, a popular open-source reactive Python notebook framework, was publicly disclosed on April 10, 2026 — and within just 10 hours, threat actors were actively exploiting it in the wild. Tracked as CVE-2026-39987 with a CVSS score of 9.3 (Critical), the vulnerability allows any unauthenticated attacker to obtain a full interactive shell on a targeted server by simply completing a WebSocket handshake — no credentials, no user interaction, no sophisticated tooling required.
Vulnerability Details
The flaw resides in Marimo’s terminal WebSocket endpoint, located at /terminal/ws. Unlike other WebSocket endpoints in the application — such as /ws, which correctly calls the validate_auth() function before accepting connections — the /terminal/ws endpoint performs no authentication check whatsoever. It only verifies that the server is in the correct running mode and that the platform supports terminal functionality, then accepts the connection unconditionally.
The result is devastating: any attacker who can reach the Marimo instance over a network can establish a WebSocket connection to /terminal/ws and receive a full PTY (pseudo-terminal) shell running as the user that launched the Marimo process. In many deployment configurations, this means root or high-privilege access is trivially achievable.
Exploitation in the Wild
The Sysdig Threat Research Team deployed honeypot nodes running vulnerable Marimo instances (version 0.20.4 and below) across multiple cloud providers and observed the first exploitation attempts within hours of the CVE’s public disclosure. The rapid weaponization of this flaw is consistent with a growing trend of threat actors monitoring vulnerability disclosures in real time and developing proof-of-concept exploits within hours.
Observed attacker activity on the honeypot nodes included:
- Immediate reconnaissance of the compromised server’s environment, including OS version, CPU architecture, and network configuration.
- Download and execution of cryptocurrency mining payloads (cryptojacking).
- Attempts to install persistence mechanisms, including cron jobs and modified shell profiles.
- Lateral movement probing toward internal network assets reachable from the compromised host.
Affected Versions
CVE-2026-39987 affects all versions of Marimo up to and including 0.20.4. The vulnerability has been addressed in version 0.23.0, which was released alongside the CVE disclosure. Organizations running any version below 0.23.0 should treat themselves as vulnerable and upgrade immediately.
The vulnerability is especially significant because Marimo has seen rapid adoption in data science and machine learning teams as a more reactive and shareable alternative to Jupyter notebooks. Many data science environments expose Marimo instances to internal networks without strict network segmentation, meaning a single compromised workstation on the same network could pivot to any reachable Marimo server.
Risk Factors
Several factors elevate the risk posed by this vulnerability:
- No authentication required: The attack requires zero credentials, making it accessible to any attacker who can route traffic to the target.
- Trivial exploitation: A standard WebSocket client is sufficient to exploit the flaw — no specialized tooling or multi-stage attack chain needed.
- High-privilege execution: Marimo processes frequently run as the launching user, which in many development and cloud environments means elevated system access.
- Rapid weaponization: Active exploitation within 10 hours of disclosure leaves minimal window for patch deployment in organizations without continuous vulnerability management.
Remediation and Mitigation
The immediate priority for all Marimo users is to update to version 0.23.0 or later. In addition to patching, organizations should take the following steps:
- Audit all internal and external deployments of Marimo to identify internet- or network-exposed instances.
- Implement network-level access controls to restrict access to Marimo instances to trusted IP ranges only.
- Review server logs for WebSocket connection attempts to
/terminal/wsoriginating from unexpected IP addresses. - If exploitation is suspected, treat the host as fully compromised, rotate all credentials accessible from that system, and conduct a thorough forensic investigation.
This incident is another reminder that developer tools and data science platforms — which often receive less security scrutiny than customer-facing applications — can represent high-value, low-resistance targets for attackers seeking initial access to enterprise environments.