Marimo notebook RCE exploited
A critical remote‑code‑execution flaw in the Marimo Python notebook platform was exploited within ten hours of public disclosure, allowing unauthenticated code execution on exposed servers. Multiple reports confirm active exploitation immediately after the vulnerability was published, underscoring high risk for any publicly reachable notebook instances used for experiments or demos. (infoworld.com) (gbhackers.com)
Marimo, a Python notebook server, was hit by live attacks less than 10 hours after a critical bug was disclosed on April 8. (github.com) (sysdig.com) Marimo is software for writing and running Python notebooks in a browser, and its docs say it can be deployed as an editable server for remote notebook work. In that setup, the server can expose a browser-based terminal and other live endpoints over the network. (docs.marimo.io 1) (docs.marimo.io 2) The flaw sat in the `/terminal/ws` WebSocket endpoint, which is the always-open line a browser uses to keep an interactive terminal session alive. Marimo’s advisory said that endpoint accepted connections without checking authentication, letting an unauthenticated user get a full shell and run system commands. (github.com) GitHub’s advisory for GHSA-2679-6mx9-h9xc was published on April 8, 2026, and listed affected versions as Marimo 0.20.4 and earlier. Marimo’s releases page later said version 0.23.0 contained the security fix for CVE-2026-39987. (github.com 1) (github.com 2) Sysdig said it put vulnerable honeypots online within hours of the disclosure and saw the first exploitation attempt 9 hours and 41 minutes later. Its timeline said the attacker returned in multiple sessions and exfiltrated a `.env` file with credentials at 07:44 Coordinated Universal Time on April 9. (sysdig.com) That speed turned a niche developer tool into an internet-facing target almost immediately. Sysdig said no public proof-of-concept exploit was available when the first attack landed, and that the attacker appeared to build an exploit directly from the advisory details. (sysdig.com) (infoworld.com) Notebook servers are attractive because they often sit close to data, cloud accounts, and application secrets. Sysdig said the attacker browsed the file system by hand and stole credentials in under three minutes after gaining access. (sysdig.com) The Marimo advisory also noted that commands can run with the privileges of the Marimo process, and its proof of concept showed a root shell in a default Docker deployment. That means the impact depends partly on how each server was deployed, but exposed edit servers faced the most direct risk. (github.com) (docs.marimo.io) Marimo’s deployment docs distinguish between `marimo edit`, which creates a remote editing server, and `marimo run`, which serves a read-only app. The vulnerable terminal endpoint mattered most on editable notebook servers, not static exports that run entirely in a browser with WebAssembly. (docs.marimo.io 1) (docs.marimo.io 2) CoreWeave acquired Marimo in October 2025, and the project’s GitHub repository now shows more than 20,000 stars. The advisory and release notes show maintainers moved quickly to patch this bug and harden related endpoints in subsequent releases. (infoworld.com) (github.com) The short patch window is the story here in calendar terms: disclosure on April 8, first observed exploitation before dawn on April 9. For anyone who left a Marimo edit server exposed to the public internet, that was enough time for an unauthenticated shell to become a credential theft incident. (github.com) (sysdig.com)
