CVE-2026-39987: Marimo RCE Exploited in Hours — AI Toolchain Attack Surface

On April 8, 2026, a security advisory was published for CVE-2026-39987, a pre-authenticated remote code execution vulnerability in Marimo, an open-source Python notebook framework. The CVSS score is 9.3. Within 9 hours and 41 minutes of that advisory going public, the Sysdig Threat Research Team observed the first active exploitation attempt against a honeypot.

There was no public proof-of-concept code. The attacker reconstructed a working exploit directly from the advisory description, connected to the unauthenticated terminal WebSocket endpoint, and had completed a credential theft operation in under three minutes. The speed of that timeline is the finding that matters most.

Marimo exposes a WebSocket terminal at the path /terminal/ws. Other WebSocket endpoints in the application — such as /ws — correctly call validate_auth() before accepting any connection. The terminal endpoint checks only the running mode and platform support, then accepts the connection without any authentication check. This single missing function call gives an unauthenticated attacker a full PTY shell on the server running the notebook.

The root cause is a common pattern in developer tooling: terminal and debug interfaces are built for local use, then deployed to network-accessible infrastructure without revisiting access controls. Marimo notebooks are frequently deployed on Docker hosts, GPU cloud instances, and platform-as-a-service environments where they are reachable over the network by design. Many deployment guides do not prominently address authentication, and the default configuration exposes the terminal to any network-connected client.

All Marimo versions up to and including 0.20.4 are affected. The vulnerability is fixed in version 0.23.0. Organizations should upgrade immediately.

Marimo notebook environments are rich targets. Data scientists and ML engineers configure them with credentials they need to do their work: API keys for commercial LLM providers such as OpenAI, Anthropic, and Google; cloud provider access keys for AWS, GCP, and Azure; database connection strings; and SSH keys. These credentials typically live in .env files or shell environment variables within the notebook runtime.

The exploitation pattern observed by Sysdig followed a predictable sequence: connect to /terminal/ws, enumerate the file system, locate .env files and shell history, extract credentials, and exfiltrate. The entire chain took under three minutes. With API keys and cloud credentials in hand, an attacker can exhaust LLM API quotas — resulting in direct financial damage — spin up cloud resources for cryptomining or further infrastructure, pivot to other internal systems accessible from the notebook host, or sell the credentials on broker markets.

Marimo processes often run with elevated privileges and have direct network access to internal systems because notebooks are expected to query databases, APIs, and storage buckets. The blast radius of a successful compromise extends well beyond the notebook host itself.

If you ran any Marimo instance on internet-accessible infrastructure before upgrading to 0.23.0, treat the deployment as potentially compromised. The specific indicator to look for is inbound WebSocket connections to the /terminal/ws path that occurred on or after April 8, 2026 — the date the advisory was published and exploitation began.

Review web server or reverse proxy logs for connections to that endpoint. A connection from an unexpected source IP, especially one that is short-lived or immediately followed by file access patterns, is a strong indicator of exploitation. If you find such connections, rotate all credentials that were accessible within the Marimo runtime environment: LLM API keys, cloud access keys, database passwords, and SSH keys. Check cloud billing for unexpected usage spikes, and review cloud audit logs for API calls that do not match normal usage patterns.

For detection going forward, network-level monitoring that alerts on new WebSocket connections to /terminal/ws from sources outside your known client addresses will catch exploitation attempts before they complete. The three-minute credential exfiltration window is short; detection needs to happen at the connection stage, not after.

CVE-2026-39987 is not an isolated incident. The Langflow RCE CVE-2026-33017 followed a similar pattern: an AI development tool deployed on public infrastructure without adequate access controls, exploited within days of disclosure. The common thread is that AI and ML tooling — notebooks, orchestration platforms, model-serving frameworks — is being adopted faster than security practices can adapt.

These tools were often designed with the assumption that they run locally or in a fully trusted network. When teams deploy them to cloud instances to share access among colleagues, or to enable remote work, they inherit every network-exposed endpoint the tool provides — including ones the developers never expected to be accessible from the internet.

External attack surface management means knowing which of these services are reachable from the outside before an attacker finds them. Marimo instances listening on public IP addresses and matching the version fingerprint for vulnerable releases can be identified through passive internet scanning. The window between advisory publication and first exploitation is measured in hours, not days. Organizations that do not have continuous visibility into their exposed services cannot act within that window.