Hackers Exploit Critical RCE Flaw in Marimo Python Notebooks

A critical pre-authentication remote code execution vulnerability in the Marimo open-source Python notebook platform is now under active exploitation following its disclosure on April 8, 2026. Tracked as CVE-2026-39987 with a 9.3 CVSS score, the flaw allows attackers to gain a full interactive shell without credentials. If you run Marimo instances on shared networks, your environment is at immediate risk.

Endpoint Authentication Failure

The root cause is a missing validation step on Marimo’s /terminal/ws WebSocket endpoint. The platform successfully secures its standard endpoints using a validate_auth() function. The terminal endpoint only verifies the running mode and platform support. This flaw, also tracked as GHSA-2679-6mx9-h9xc, exposes a critical oversight in routing logic.

Connecting to this unauthenticated WebSocket endpoint grants a remote attacker a PTY shell operating with the exact privileges of the running process. This allows arbitrary system command execution across all Marimo versions prior to and including 0.20.4.

Rapid Exploitation Timeline

Weaponization occurred almost immediately. Security researchers detected the first exploit attempts just nine hours and 41 minutes after public disclosure, prior to any public proof-of-concept release. Telemetry recorded manual reconnaissance from 125 distinct IP addresses within the first 12 hours. Operators executed complete credential theft operations in under three minutes per compromised instance.

The Sysdig Threat Research Team noted methodical, human-driven behavior rather than automated bot activity. Attackers specifically searched system file structures for SSH keys and .env files used to configure local AI workflows.

Targeting Data Science Infrastructure

Attackers are deliberately scanning niche developer tools to compromise research environments. Marimo holds roughly 20,000 GitHub stars and is heavily utilized in data science and engineering teams. The speed of this attack mirrors patterns seen when threat actors hijacked AI workflows earlier this year. Development environments often contain high-privilege access tokens required for building multi-agent systems, making these notebook platforms highly lucrative targets for credential harvesting.

Upgrade immediately to Marimo version 0.23.0, which was released on April 11, 2026. If your instance was exposed using the --host 0.0.0.0 flag in edit mode outside a VPN or robust firewall, assume compromise. Review your network logs for unauthorized WebSocket connections to the terminal endpoint and rotate all environment secrets and SSH keys present on the host.