A critical vulnerability has been identified and actively exploited in the Marimo open-source Python notebook platform. This security flaw, tracked as CVE-2026-39987, permits remote code execution without the need for authentication, affecting Marimo versions 0.20.4 and earlier. GitHub has rated this vulnerability with a severe score of 9.3 out of 10. Within hours of the vulnerability's disclosure, attackers began exploiting it to extract sensitive data from affected systems.
Marimo is widely used by data scientists, machine learning practitioners, researchers, and developers for building data applications and dashboards. The vulnerability arises from the WebSocket endpoint '/terminal/ws' which lacks proper authentication checks, allowing unauthenticated clients to access an interactive terminal with the same privileges as the Marimo process. This situation poses a significant risk as it provides attackers with direct access to execute commands.
The flaw was disclosed on April 8, and a patch was released with version 0.23.0. Attackers quickly took advantage of the flaw, with Sysdig reporting reconnaissance activity from 125 IP addresses within the first 12 hours. The initial attack involved connecting to the vulnerable endpoint to confirm remote command execution, followed by manual exploration to gather environment information and steal credentials.
The attackers demonstrated a calculated approach, targeting high-value assets such as .env files and SSH keys without setting up persistence mechanisms or deploying malware, indicating a primary focus on credential theft. Users of Marimo are urged to upgrade to version 0.23.0 promptly, restrict external access to the vulnerable WebSocket endpoint, and rotate any exposed credentials. If an upgrade is not feasible, disabling access to the '/terminal/ws' endpoint is advised as a mitigation strategy.


