**Marimo**, a popular open-source Python notebook environment favored by data scientists, ML/AI practitioners, and researchers, faced a severe security incident following the disclosure of **CVE-2026-39987**. The vulnerability allows unauthenticated remote code execution in versions 0.20.4 and earlier, with **GitHub** assessing its severity as critical (9.3/10). ### The Vulnerability: CVE-2026-39987 The root cause lies in the ‘/terminal/ws’ WebSocket endpoint, which exposes an interactive terminal without proper authentication. This allows any unauthenticated client to connect and gain direct access to a full interactive shell with the same privileges as the **Marimo** process. **Marimo** developers disclosed the flaw on April 8th and released version 0.23.0 to address it. The update is crucial for users who deployed **Marimo** as an editable notebook or exposed it to a shared network using the `--host 0.0.0.0` flag while in edit mode. ### Rapid Exploitation in the Wild According to **Sysdig**, reconnaissance activity began from 125 IP addresses within the first 12 hours after the vulnerability details were published. The first exploitation attempt, focused on credential theft, was observed less than 10 hours after disclosure. The attack sequence involved: 1. **Vulnerability Validation:** Connecting to the `/terminal/ws` endpoint and executing a short script to confirm remote command execution. 2. **Manual Reconnaissance:** Issuing basic commands like `pwd`, `whoami`, and `ls` to understand the environment, followed by directory navigation attempts and checks for SSH-related locations. 3. **Credential Harvesting:** Targeting the `.env` file to extract environment variables, including cloud credentials and application secrets. Attempts were also made to read additional files and probe for SSH keys.  *Source: Sysdig* The entire credential access phase was completed in under three minutes, highlighting the efficiency of the attacker. The attacker returned an hour later for a second exploitation session using the same sequence. **Sysdig** researchers believe the attack was carried out by a “methodical operator” with a hands-on approach, focusing on high-value targets like `.env` credentials and SSH keys, rather than deploying automated scripts or persistent backdoors. ### Mitigation Steps **Marimo** users are strongly advised to: * Upgrade to version 0.23.0 immediately. * Monitor WebSocket connections to ‘/terminal/ws’. * Restrict external access via a firewall. * Rotate all exposed secrets. If upgrading is not immediately feasible, blocking or disabling access to the ‘/terminal/ws’ endpoint is an effective mitigation strategy.