Full Report
A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including
Analysis Summary
# Vulnerability: Marimo Unauthenticated Remote Code Execution (RCE) via Terminal WebSocket
## CVE Details
- **CVE ID:** CVE-2026-39987
- **CVSS Score:** 9.3 (Critical)
- **CWE:** Missing Authentication for Critical Function (associated with CWE-306)
## Affected Systems
- **Products:** Marimo (Open-source Python notebook for data science)
- **Versions:** All versions prior to and including 0.20.4
- **Configurations:** Internet-facing Marimo instances or instances accessible to unauthenticated network actors.
## Vulnerability Description
The vulnerability resides in the `/terminal/ws` WebSocket endpoint. Unlike other WebSockets in the application (such as `/ws`) which implement `validate_auth()` to check user credentials, the terminal endpoint fails to perform any authentication validation. It only verifies running modes and platform support before establishing a connection. Because this endpoint is designed to provide terminal access, an unauthenticated attacker can connect to it and obtain a full pseudo-terminal (PTY) shell.
## Exploitation
- **Status:** Exploited in the wild (First observed attack occurred within 10 hours of disclosure).
- **Complexity:** Low (Attackers can build an exploit directly from the advisory description).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to environment variables, .env files, SSH keys, and local file system).
- **Integrity:** High (Ability to execute arbitrary system commands and modify files).
- **Availability:** High (Ability to terminate processes or delete system files).
## Remediation
### Patches
- **Update to Marimo version 0.23.0** (or later), which addresses the authentication bypass in the terminal endpoint.
### Workarounds
- **Disable Network Exposure:** Ensure Marimo instances are not exposed to the public internet.
- **Access Control:** Restrict access to the application using a VPN or an authenticated reverse proxy (e.g., Cloudflare Access, Authelia) if patching is not immediately possible.
## Detection
- **Indicators of Compromise:**
- Unauthorized connections to the `/terminal/ws` endpoint in application logs.
- Suspicious manual reconnaissance commands (e.g., `ls`, `cat .env`, searching for `.ssh` directories).
- Multiple connections from unknown IP addresses followed by periods of inactivity.
- **Detection methods and tools:** Monitor system-level process execution for unexpected shells spawned by the Python process running Marimo.
## References
- **Vendor Advisory:** [https://github[.]com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc]
- **Release Notes:** [https://github[.]com/marimo-team/marimo/releases/tag/0.23.0]
- **Original Research:** [https://www[.]sysdig[.]com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours]
- **News Report:** [https://thehackernews[.]com/2026/04/marimo-rce-flaw-cve-2026-39987.html]