Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure

A critical pre-authentication remote code execution vulnerability in Marimo, the Python reactive notebook framework, was weaponized in the wild within hours of its public disclosure. CVE-2026-39987 (CVSS v4.0: 9.3) affects all versions of Marimo up to and including 0.20.4. If you run Marimo in any internet-accessible environment — a shared dev server, a cloud VM, a Kubernetes pod — patch immediately to version 0.23.0.

What Happened

Marimo’s built-in web server exposes a terminal over a WebSocket endpoint at /terminal/ws. The problem: that endpoint never checks authentication. Other WebSocket endpoints on the same server correctly call validate_auth() and use the @requires("edit") decorator to gate access. The terminal endpoint does neither. It checks only whether the server is in the right running mode and whether the platform supports terminal functionality, then accepts any WebSocket connection unconditionally.

The result is that even a Marimo instance with authentication enabled is fully compromised the moment an attacker connects to /terminal/ws. There are no tokens to steal first, no login flow to bypass — the terminal just opens. The shell executes with the privileges of the Marimo process, which in containerized deployments frequently runs as root.

Technical Details

• CVE: CVE-2026-39987
• CVSS v4.0 Score: 9.3 (Critical)
• CWE: CWE-306 — Missing Authentication for Critical Function
• Affected versions: marimo <= 0.20.4
• Patched version: 0.23.0
• Advisory: GHSA-2679-6mx9-h9xc

The root cause is an inconsistency in how Marimo’s server applies authentication middleware across WebSocket routes. The /ws endpoint (used for notebook execution) is correctly guarded. The /terminal/ws endpoint (a full PTY) is not. The fix in 0.23.0 applies the same WebSocketConnectionValidator mechanism to the terminal endpoint, bringing it in line with the rest of the server’s authentication model.

Exploitation in the Wild

Sysdig’s Threat Research Team deployed Marimo honeypot nodes across multiple cloud providers. The first exploitation attempt arrived 9 hours and 41 minutes after the advisory was published on April 8, 2026. The entire credential-harvesting operation completed in under 3 minutes.

The observed attack pattern was straightforward:

1. Attacker connects to /terminal/ws with no credentials
2. Briefly enumerates the file system to orient themselves
3. Reads .env to harvest API keys, database credentials, and secrets
4. Searches for and exfiltrates SSH private keys
5. Disconnects

No privilege escalation was required. No lateral movement tooling was dropped in the observed incident — the attacker grabbed what they needed and left. The speed and precision of the operation suggests automated scanning followed by manual follow-up, not a targeted intrusion.

Who Is Affected

Marimo is increasingly popular in AI/ML development workflows and data science pipelines, often run as shared internal services or exposed on dev infrastructure. If your Marimo instance is:

• Accessible over the network (LAN or internet)
• Running behind a reverse proxy without its own auth layer
• Deployed in a container or cloud environment

…then you are a viable target. The vulnerability is trivially exploitable — a single WebSocket connection is all that’s needed.

Marimo 0.20.4 shipped on February 27, 2026. Any installation that hasn’t been updated in the past six weeks is vulnerable.

Mitigation

Patch first: Upgrade to marimo >= 0.23.0 immediately.

1

pip install --upgrade marimo

If you cannot patch right now:

• Block external access: Firewall off port 2718 (the default Marimo port) from anything that shouldn’t need it. This does not fix the bug but removes remote exploitability.
• Add an auth proxy: Put Marimo behind an authenticated reverse proxy (nginx + basic auth, Cloudflare Access, Tailscale, etc.) as an additional layer.
• Rotate secrets: If your Marimo instances were exposed, assume .env files and SSH keys have been read. Rotate all credentials that were accessible on those hosts.
• Audit WebSocket connections: Review server logs for unexpected connections to /terminal/ws — particularly short-duration sessions with file read activity.

Why This Pattern Keeps Appearing

Authentication bypasses via inconsistent endpoint guards are a recurring problem in developer-tooling software. The Marimo advisory is the latest in a line that includes Jupyter, Argo Workflows, and more recently Langflow (CVE-2026-33017) and n8n (CVE-2026-21858). Developer tools prioritize fast, frictionless local use — but they’re increasingly deployed in shared or internet-accessible environments without the same scrutiny applied to production web applications.

The 10-hour exploitation window is a useful data point: for high-value targets like developer tooling that runs with privileged access to credentials and secrets, attackers are watching advisory feeds and scanning aggressively. Patch windows are compressing.

References

• GitHub Security Advisory GHSA-2679-6mx9-h9xc
• The Hacker News — Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours
• Endor Labs — Root in One Request: Marimo’s Critical Pre-Auth RCE
• CSA Lab Space — Marimo RCE and the AI Toolchain Attack Surface