Race Against Time: Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

TL;DR: A critical pre-authenticated Remote Code Execution (RCE) vulnerability in the Marimo Python notebook (CVE-2026-39987) was weaponized by threat actors in less than 10 hours following its public disclosure. Despite the lack of an initial proof-of-concept, attackers successfully used the flaw to harvest credentials and SSH keys.

---

The window of opportunity for defenders is shrinking at an alarming rate. Recent findings from security firm Sysdig reveal that a critical vulnerability in Marimo, an open-source Python notebook used for data science, was exploited by a manual operator just 9 hours and 41 minutes after the advisory was released.

The flaw, tracked as CVE-2026-39987, carries a near-perfect CVSS score of 9.3, highlighting the severity of the risk to the data science and development communities.

Understanding CVE-2026-39987

The vulnerability is a pre-authenticated remote code execution (RCE) flaw. It originates from a security oversight in how Marimo handles WebSocket connections.

According to Marimo maintainers, the application features a terminal WebSocket endpoint (/terminal/ws) that failed to implement proper authentication validation. While other endpoints correctly invoked the validate_auth() function, the terminal endpoint only verified the running mode and platform support before granting access.

By skipping the authentication check, the application allowed unauthenticated attackers to:

• Connect to the WebSocket endpoint without credentials.
• Obtain a full PTY (pseudo-terminal) shell.
• Execute arbitrary system commands on the host.

The vulnerability impacts all versions of Marimo prior to and including 0.20.4.

Anatomy of the Attack

Sysdig monitored the exploitation through a honeypot system. Even without a published proof-of-concept (PoC) code, a threat actor was able to build a working exploit based solely on the technical details provided in the security advisory.

The attack unfolded in stages:

1. Initial Access: Less than 10 hours after disclosure, the attacker connected to the /terminal/ws endpoint.
2. Reconnaissance: The actor performed manual exploration of the file system.
3. Data Harvesting: Within minutes, the attacker attempted to exfiltrate sensitive information, specifically targeting .env files and searching for SSH keys and other sensitive local files.
4. Follow-up: The attacker returned an hour later to verify the contents of the .env file and check if other rival threat actors had compromised the same system.

Notably, the attacker did not deploy automated payloads such as cryptocurrency miners or persistent backdoors, suggesting a focused "smash-and-grab" operation aimed at credential theft.

The Shrinking Defense Window

This incident underscores a dangerous trend in the cybersecurity landscape: the rapid weaponization of "N-day" vulnerabilities.

"The attacker connected four times over 90 minutes, with pauses between sessions," Sysdig noted. "This is consistent with a human operator working through a list of targets, returning to confirm findings."

The speed of this attack serves as a reminder that popularity does not equate to security. Even niche or specialized tools like Marimo are under constant surveillance by threat actors who monitor public advisories to find targets before patches can be widely applied.

Remediation and Recommendations

The vulnerability has been addressed in Marimo version 0.23.0.

Users and organizations utilizing Marimo for data analysis should take the following steps immediately:

• Update: Upgrade Marimo instances to version 0.23.0 or later.
• Audit: If you were running an exposed version of Marimo, check for signs of unauthorized access, specifically looking for accessed .env files or unauthorized SSH key activity.
• Network Security: Ensure that development tools and notebooks are not exposed to the public internet unless absolutely necessary, and always behind a robust authentication layer or VPN.

Source: The Hacker News