Nine hours and 41 minutes. That’s the gap between Marimo’s maintainers dropping the bomb on CVE-2026-39987 and some threat actor firing off a custom exploit.
Sysdig caught it live on their honeypot — no public PoC, no hand-holding GitHub repo. Just a savvy attacker piecing together the advisory like a puzzle from hell.
Marimo? It’s this open-source reactive notebook for Python folks — 20,000 GitHub stars, promises consistent code, outputs, state. Sounds shiny, right? But here’s the rub: that terminal WebSocket endpoint (/terminal/ws) skipped auth checks entirely. While other endpoints play nice with validate_auth(), this one? Nah, just peeks at running mode and platform, then hands over a full interactive shell.
Wait, What Even Is Marimo — And Why Care?
Look, I’ve covered enough notebook wars to know the drill. Jupyter dominated for years; now everyone’s chasing reactivity — Streamlit, Voila, and yeah, Marimo. It’s Python-centric, meant for data scientists who hate cell re-run roulette. But popularity breeds targets. 20k stars? That’s a billboard saying ‘probe me.’
The vuln’s a classic: unauthenticated RCE, CVSS 9.3. Attackers connect, spawn a shell, run whatever. Sysdig watched one connect, poke around manually after two minutes, then boomerang back six minutes later to snag credential files. SSH keys? Every file in the dir? They hunted it all — done in three minutes flat.
“Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification,” Marimo’s maintainers explain.
Straight from the horse’s mouth. Brutal honesty, but nine hours late for some.
And the scale? One IP exploiting, but 125 others scanning ports, HTTP probing. Recon swarm.
How’d They Weaponize It That Fast?
No PoC. Advisory drops April 8, exploit by evening. Attacker reverse-engineered the description — connected straight to /terminal/ws, explored the env. Sysdig: “The attacker built a working exploit directly from the advisory description.”
This ain’t script kiddies. Pros. Reminds me of 2017’s Equifax mess — patches out, exploits fly in days. But Marimo? Open source, niche. Yet here we are. My hot take: notebook tools are the new wild west because devs prioritize features over fortresses. Who makes money? VCs funding the next ‘Jupyter killer,’ while security lags. Historical parallel? JupyterLab’s 2021 auth bypass — same vibe, slower response. Marimo just accelerated the timeline.
Patch? Versions up to 0.20.4 vulnerable. Jump to 0.23.0+. Simple, if you’re vigilant.
But vigilance? In dev land? Fat chance.
Think you’re safe? Wrong.
Data teams, ML engineers — if Marimo’s in your stack, assume probed. Exposed instances? Gift-wrapped shells. Sysdig’s honeypot proves attackers prioritize fresh CVEs. No mass campaign yet, but that single IP? Likely testing for bigger fish.
Who’s hit? Cloud-hosted Marimo setups, especially unauthed demos. GitHub stars mean enterprise pilots too. I’ve seen firms brag about ‘internal Jupyter alternatives’ — now sweating.
Prediction: This sparks a notebook audit wave. But mark my words, the next flaw won’t wait 9 hours; it’ll be zero-days from day zero.
Why Open Source Moves Like This Hurt Everyone
Don’t get me wrong — open source rules. Transparency, patches quick. But disclosure races? Maintainers post advisory sans PoC, attackers feast first. Cynical me says: PR stunt? Nah, legit slip. Still, in 20 years covering this circus, I’ve seen hype tools crumble fastest. Marimo’s reactive pitch? Cool. But skipping auth on a terminal endpoint? Amateur hour.
Sysdig notes the attacker exfiltrated creds post-recon. Imagine: your AWS keys, SSH privs, gone. Three minutes. That’s not a breach; it’s a heist.
And the recon? 125 IPs. Botnet warm-up? Nation-state sniff? Or just opportunistic crews? Bet on the last — low-hanging fruit sells on dark markets.
Users: Update. Now. Firewall that endpoint if you can’t. But really, audit all notebooks. Streamlit next? Who knows.
I’ve yelled this before: buzzword ‘reactive’ notebooks lure devs, but security’s the afterthought. Money’s in the features — until the breach bill hits.
The Bigger Picture — Notebooks Under Siege
Marimo joins Palo Alto, SonicWall patches, Google API leaks. RCE in ActiveMQ lurked 13 years. Pattern? Dev tools bleed because they’re ubiquitous, under-secured.
Unique angle: This exploit’s speed signals AI-assisted attack crafting. Advisory to shell in hours? LLMs parsing CVEs now. Scary? Yeah. But inevitable.
Patch notes confirm: 0.23.0 fixes auth skip. Test it. Don’t trust ‘updated.’
Final nudge: If you’re running Marimo exposed — stop. World’s watching.
🧬 Related Insights
- Read more: Infostealers Nabbed 2.3 Billion Creds Last Year—Your Breach Alerts Missed Most
- Read more: The PoC Cliff: When Your Automated Pentesting Tool Runs Dry
Frequently Asked Questions
What is CVE-2026-39987 in Marimo? Unauthenticated RCE via /terminal/ws endpoint; full shell access, no login needed.
How quickly was the Marimo vulnerability exploited? 9 hours, 41 minutes after public advisory — custom exploit, no PoC.
How do I patch Marimo RCE flaw? Update to 0.23.0 or later; all prior versions vulnerable up to 0.20.4.
