~/home/news/marimo-rce-flaw-exploited-within-2026-04-17
newsFriday, April 17, 20268 min read👁 24 views

Marimo RCE Flaw Exploited Within Hours: Critical CVE-2026-39987

A critical unauthenticated RCE vulnerability (CVE-2026-39987) in Marimo's /terminal/ws WebSocket endpoint was weaponized just nine hours after public disclosure, allowing attackers to grab interactive shells and exfiltrate SSH keys. All versions up to 0.20.4 are affected; patches start at 0.23.0.

MarimoRemote Code ExecutionCVE-2026-39987WebSocket Vulnerability

Overview/Introduction

On April 8, 2026, the open-source reactive notebook Marimo disclosed a critical remote code execution (RCE) flaw (CVE-2026-39987) that enables an unauthenticated attacker to obtain a full interactive shell via the /terminal/ws WebSocket endpoint. Within nine hours of the advisory, threat actors began exploiting the bug in the wild, stealing SSH private keys and potentially compromising entire data-science environments.

Marimo, a Python-centric notebook platform with roughly 20 000 GitHub stars, is widely used for collaborative analytics, model prototyping, and educational labs. The vulnerability strikes a core component that many users expose to the internet for remote development, making the impact both broad and deep.

Technical Details

The vulnerability is rooted in a missing authentication check on the /terminal/ws endpoint. While other WebSocket routes (e.g., /ws) invoke validate_auth() before establishing a session, the terminal endpoint only verifies the runtime mode (development vs production) and platform support. This oversight allows any client that can reach the endpoint to open a WebSocket connection and interact with the underlying shell process.

CVE-2026-39987 details:

  • Severity: CVSS 9.3 (Critical)
  • Affected versions: All releases ≤ 0.20.4
  • Fixed in: 0.23.0 (and later)
  • Attack vector: Network-accessible WebSocket (Unauthenticated)
  • Impact: Full command execution, file system read/write, credential exfiltration

Exploitation flow (as observed by Sysdig):

1. Attacker discovers an exposed Marimo instance (e.g., https://example.com:8899).
2. Sends a WebSocket handshake to /terminal/ws - no auth token required.
3. Receives a live PTY stream; sends shell commands (e.g., `id`, `whoami`).
4. Executes `find $HOME -type f -name "*id_rsa*"` to locate SSH private keys.
5. Reads and exfiltrates key files via the same WebSocket channel.

Because the endpoint spawns a privileged shell tied to the process owner (often root in containerized deployments), the attacker can pivot to any service the notebook can reach, including internal APIs, databases, and CI/CD pipelines.

Impact Analysis

Any organization that runs Marimo on a host reachable from the network-whether on-prem, cloud VMs, or container orchestration platforms-faces immediate risk. The following vectors amplify the danger:

  • Collaborative environments: Shared notebooks often expose the terminal to multiple users, making the missing auth check a single point of failure.
  • CI/CD integration: Some teams embed Marimo notebooks in pipelines for model validation; a compromised notebook can inject malicious code into production artifacts.
  • Credential leakage: SSH keys, API tokens, and cloud provider credentials are routinely stored in a developer's home directory for convenience, providing attackers with lateral movement paths.

Given the CVSS rating and the observed rapid weaponization, the vulnerability is classified as critical. A successful exploit grants the adversary the same privileges as the notebook process, which in many deployments is root or a highly privileged service account.

Timeline of Events

  • 2026-04-08 09:00 UTC - Marimo maintainers publish advisory for CVE-2026-39987.
  • 2026-04-08 18:41 UTC - Sysdig’s honeypot logs first unauthenticated connection to /terminal/ws from a single external IP.
  • 2026-04-08 18:43 UTC - Attacker performs reconnaissance (listing files, searching for SSH keys).
  • 2026-04-08 18:49 UTC - Attacker exfiltrates discovered private keys and terminates the session.
  • 2026-04-08 19:00-21:00 UTC - Additional 125 IPs observed probing for open Marimo terminals (port scans, HTTP HEAD requests).
  • 2026-04-09 - Public discussion on security forums confirms active exploitation and shares mitigation steps.
  • 2026-04-12 - Marimo releases version 0.23.0 with authentication enforcement on the terminal endpoint.

Mitigation/Recommendations

Organizations should treat this as an emergency patching case. Recommended actions:

  1. Upgrade immediately: Deploy Marimo ≥ 0.23.0 on all hosts. Verify the validate_auth() call is present in the endpoint code.
  2. Restrict network exposure: Bind the notebook server to localhost or a private VLAN. If remote access is required, place a reverse proxy (NGINX, Traefik) with strict authentication in front of the WebSocket endpoint.
  3. Disable the terminal endpoint: For environments that do not need interactive shells, set terminal_enabled=False in the configuration.
  4. Rotate credentials: Assume any SSH keys discovered during the attack are compromised. Regenerate keys, revoke associated access, and update CI/CD secrets.
  5. Audit logs: Review server logs for unexpected WebSocket connections, especially from external IP ranges. Correlate with cloud-provider audit trails for privilege escalation.
  6. Implement network segmentation: Ensure notebooks cannot directly reach critical internal services without additional authentication layers.

Real-World Impact

In practice, the flaw translates to a “back-door” for any attacker who can locate an exposed Marimo instance. A single compromised notebook can lead to:

  • Stealing SSH keys that grant access to internal Git repositories, allowing source-code theft or injection of malicious commits.
  • Harvesting cloud-provider credentials (AWS, GCP, Azure) that may be stored in ~/.aws/credentials or environment variables, enabling cloud-resource hijacking.
  • Executing ransomware payloads directly from the notebook’s process, leveraging the same privileges used by data-science pipelines.
  • Persisting footholds by creating new user accounts or deploying web-shells on the host.

Enterprises that adopt Marimo for collaborative research-particularly in regulated sectors such as finance or healthcare-must treat any exposure as a potential breach of sensitive data, with compliance implications under GDPR, HIPAA, or PCI-DSS.

Expert Opinion

From a strategic standpoint, the rapid weaponization of CVE-2026-39987 underscores two broader industry trends:

  1. Speed of exploitation: Modern threat actors no longer wait for PoCs to circulate; they can craft functional exploits directly from advisory text. This raises the bar for “security through obscurity” and forces vendors to adopt responsible-disclosure timelines that consider real-world attacker capabilities.
  2. WebSocket attack surface: As more development tools shift to browser-based IDEs and notebooks, WebSocket endpoints become high-value targets. Authentication must be enforced at the transport layer, not just at the application level.

For the data-science community, the incident is a wake-up call to treat notebooks as production code-not as throw-away scripts. Embedding proper zero-trust controls-mutual TLS, short-lived tokens, and strict network segmentation-will mitigate the risk of similar bugs in the future.

In summary, the Marimo RCE flaw is a textbook example of how a single missing auth check can cascade into full-system compromise. Immediate patching, network hardening, and credential rotation are non-negotiable steps for any organization that runs Marimo in a shared or internet-facing context.