Full Report
A critical pre-authentication remote code execution (RCE) vulnerability in Marimo is now under active exploitation, leveraged for credential theft. [...]
Analysis Summary
# Vulnerability: Pre-Authentication RCE in Marimo Python Notebooks
## CVE Details
- **CVE ID:** CVE-2026-39987
- **CVSS Score:** 9.3 (Critical)
- **CWE:** Improper Authentication (Accessing interactive shell via WebSocket)
## Affected Systems
- **Products:** Marimo open-source reactive Python notebook platform.
- **Versions:** Version 0.20.4 and all earlier versions.
- **Configurations:**
- Deployed as an editable notebook.
- Exposed to a shared network or the internet using the `--host 0.0.0.0` flag while in edit mode.
## Vulnerability Description
The flaw resides in the `/terminal/ws` WebSocket endpoint. The application fails to perform proper authentication checks on this endpoint, allowing any unauthenticated remote client to establish a connection. Once connected, the attacker is granted a full interactive shell with the same privileges as the Marimo process, leading to complete system compromise.
## Exploitation
- **Status:** Exploited in the wild (First observed within 10 hours of disclosure).
- **Complexity:** Low (Public advisory provided enough detail for rapid exploit development).
- **Attack Vector:** Network (Remote).
- **PoC Available:** Effectively public via developer advisory documentation and observed attacker scripts.
## Impact
- **Confidentiality:** Total (Observed exfiltration of `.env` files, cloud credentials, application secrets, and SSH keys).
- **Integrity:** Total (Full interactive shell allows modification of files and system state).
- **Availability:** Total (Attacker can terminate processes or delete critical data).
## Remediation
### Patches
- **Update to Marimo version 0.23.0** or later immediately.
### Workarounds
- Block or disable all access to the `/terminal/ws` endpoint at the network or proxy level.
- Restrict external access to the Marimo instance using a firewall or VPN.
- Avoid using `--host 0.0.0.0` in untrusted or public network environments.
## Detection
- **Indicators of Compromise (IoCs):**
- Unauthorized connections to the `/terminal/ws` URI.
- Presence of commands like `whoami`, `pwd`, `ls`, or navigation to SSH/Environment directories (`.ssh/`, `.env`) in shell history logs.
- **Detection Methods:**
- Monitor WebSocket traffic logs for unusual source IPs connecting to the terminal endpoint.
- Inspect system logs for unexpected child processes spawned by the Marimo parent process.
- **Note:** Active exploitation has been characterized by "hands-on-keyboard" manual reconnaissance rather than automated mass-scanning.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
- **Sysdig Technical Report:** hxxps[://]www[.]sysdig[.]com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours
- **Marimo Releases:** hxxps[://]github[.]com/marimo-team/marimo/releases/tag/0.23.0