A critical vulnerability in Marimo is actively being exploited, allowing attackers to gain unauthenticated remote code execution (RCE) through a simple WebSocket connection.
Tracked as CVE-2026-39987, the flaw carries a CVSS v4.0 score of 9.3 and impacts all versions prior to 0.23.0. The issue has been addressed in the latest release.
Marimo, widely used as a modern alternative to Jupyter notebooks for data science, machine learning experimentation, and analytics workflows, is often deployed in collaborative environments with network exposure—making this vulnerability particularly severe.
The root cause lies in a WebSocket security failure. While most endpoints in Marimo enforce authentication, the /terminal/ws endpoint failed to validate user credentials. This allowed attackers to establish a WebSocket connection and gain a full interactive shell without any authentication.
In effect, a remote attacker could execute arbitrary system commands simply by completing a WebSocket handshake, bypassing all access controls.
According to the Sysdig Threat Research Team, exploitation began rapidly after disclosure. The first attack attempt was observed within 9 hours and 41 minutes, with a full credential theft operation executed in under three minutes—despite the absence of publicly available proof-of-concept code.
Security researchers warn that exposed instances remain at risk, with internet-wide scans suggesting that tens to hundreds of deployments could still be vulnerable, particularly those running on commonly exposed HTTP ports.
The vulnerability highlights the risks associated with improperly secured WebSocket endpoints, especially in developer tools and data science platforms that often run with elevated permissions and access to sensitive datasets.
Users and organizations are strongly advised to upgrade to Marimo version 0.23.0 immediately and restrict external access to notebook environments to mitigate potential exploitation.
