Home Blog CVE-2026-39987: Marimo Python Notebook RCE Exploited in Under 10 Hours — Full Technical Breakdown
Vulnerability

CVE-2026-39987: Marimo Python Notebook RCE Exploited in Under 10 Hours — Full Technical Breakdown

tarang.parmar0 CEH Apr 12, 2026 5 min read
#Critical#CVE-2026-39987#Cybersecurity#Marimo#Python#RCE#ThreatIntel#Vulnerability

On April 8, 2026, a critical security advisory was published for CVE-2026-39987 — a pre-authentication remote code execution (RCE) vulnerability in Marimo, the open-source reactive Python notebook platform. What followed was a textbook case of the modern exploitation lifecycle: within 9 hours and 41 minutes, a threat actor had built a working exploit directly from the advisory text, connected to exposed instances, and executed a complete credential theft operation in under 3 minutes.

No public proof-of-concept code existed. No CVE number had been officially assigned. The attacker needed nothing more than a WebSocket client and the advisory description.

What is CVE-2026-39987?

CVE-2026-39987 (CVSS v4.0: 9.3 Critical) is a missing authentication vulnerability in the /terminal/ws WebSocket endpoint of Marimo versions 0.20.4 and earlier.

Marimo provides an interactive PTY (pseudo-terminal) shell via this endpoint — essentially a full Linux shell running inside the browser. The problem: while other WebSocket endpoints in Marimo correctly call validate_auth() before accepting connections, the terminal endpoint skips this check entirely.

The result: any unauthenticated user on the network can connect to /terminal/ws and receive a full interactive shell running with the same privileges as the Marimo process — no credentials required, no exploit complexity needed.

Who is at Risk?

The vulnerability affects Marimo users who:

  • Deploy Marimo in edit mode (not read-only)
  • Expose Marimo to a shared network using --host 0.0.0.0
  • Run Marimo on internet-facing servers or cloud instances
  • Use Marimo in data science pipelines with access to cloud credentials, .env files, or SSH keys

While Marimo has approximately 20,000 GitHub stars — small compared to platforms like Langflow (145,000+) — the speed of exploitation shows that threat actors are monitoring advisory feeds broadly, not just targeting household-name software.

Attack Timeline: How the Breach Unfolded

Sysdig’s Threat Research Team (TRT) deployed honeypot nodes running vulnerable Marimo instances across multiple cloud providers immediately after the advisory was published. Here is exactly what they observed:

Phase 1 — PoC Validation (07:31 UTC, T+9h41m)

The attacker connected to /terminal/ws and ran a structured validation sequence:

echo '---POC-START---'
id
echo '---POC-END---'

The use of marker strings indicates a scripted PoC, not manual typing. The attacker confirmed code execution in 9 seconds and disconnected immediately.

Phase 2 — Manual Reconnaissance (07:33 UTC)

Two minutes later, the attacker reconnected for manual exploration:

pwd         → /app/marimo
whoami      → marimo
ls          → marimo  logs  data  .env  docker-compose.yml

The attacker navigated the filesystem, checked ~/.ssh for SSH keys, and attempted to enumerate network interfaces. The manual, methodical approach suggests a human operator, not an automated scanner.

Phase 3 — Credential Theft (07:43 UTC)

After a 6-minute pause, the attacker returned for a focused credential harvesting operation:

cat .env    → AWS_ACCESS_KEY_ID=AKIA01FB...
             AWS_SECRET_ACCESS_KEY=...
             DATABASE_URL=postgres://...
             API_KEY=...

The attacker then systematically read every file in the directory and searched for SSH keys. The entire operation took under 3 minutes.

Phase 4 — Return Visit (08:57 UTC)

Over an hour later, the attacker returned, re-ran the PoC validation, re-read the .env file, and ran history — likely checking whether other attackers had been active on the same instance.

Notably, the attacker did not install persistence, deploy cryptominers, or drop backdoors. This was a surgical credential theft operation — quick, stealthy, and targeted at high-value secrets.

Why This Matters for Defenders

The 9-hour-41-minute window between advisory publication and first exploitation continues an accelerating trend. The Zero Day Clock project shows median time-to-exploit has collapsed from 771 days in 2018 to just hours today. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure.

What makes CVE-2026-39987 particularly alarming:

  • No public PoC existed — the attacker built the exploit from the advisory text alone
  • Niche software targeted — Marimo is not a high-profile enterprise platform
  • AI-assisted exploitation likely — the speed suggests AI tools were used to analyze the advisory and generate the exploit
  • Advisory feeds are being monitored — not just CVE databases, but GitHub security advisories

Indicators of Compromise (IOCs)

Security teams should monitor for:

  • Unexpected WebSocket connections to /terminal/ws endpoint
  • Unauthenticated shell commands in Marimo process logs: id, whoami, pwd, cat .env
  • PoC marker strings in logs: ---POC-START---, ---POC-END---
  • Unusual .env file access and reads of AWS credential files
  • SSH key directory enumeration: access to ~/.ssh
  • Reconnaissance commands shortly after WebSocket connection: ls, pwd, whoami

Immediate Actions Required

  1. Upgrade immediately — Update Marimo to version 0.23.0: pip install --upgrade marimo
  2. Block /terminal/ws — If upgrade is not immediately possible, block or disable access to the terminal WebSocket endpoint at the firewall or reverse proxy level
  3. Rotate all exposed secrets — If your instance was internet-exposed, assume .env credentials are compromised: rotate AWS keys, database passwords, API keys, and SSH keys immediately
  4. Restrict network access — Marimo should never be exposed via --host 0.0.0.0 to untrusted networks. Use VPN or SSH tunneling for remote access
  5. Run in read-only mode — If edit mode is not required, deploy with marimo run instead of marimo edit
  6. Monitor WebSocket traffic — Enable logging for WebSocket connections to detect exploitation attempts
  7. Audit advisory subscriptions — Subscribe to GitHub Security Advisories for all open-source tools in your stack, not just CVE feeds

The Bigger Picture: The End of the Patch Window

CVE-2026-39987 is not an anomaly — it is the new normal. The assumption that defenders have days or weeks to patch after a vulnerability is disclosed is obsolete. Security teams must now operate on the assumption that any critical advisory can be weaponized within hours, regardless of the software’s popularity.

The traditional patch management cycle — assess, test, schedule, deploy — cannot keep pace with exploitation timelines measured in single-digit hours. Organizations need runtime detection, network segmentation, and rapid credential rotation as first-line defenses when the patch window is measured in hours rather than days.

As Sysdig’s TRT concluded: “The attacker needed nothing more than the advisory text and a WebSocket client.”

References

Written by Tarang Parmar (CEH) — TheCyberSecurity.Network. Read time: 8 min. Last updated: April 12, 2026.