Marimo notebook pre-auth RCE exploited within 10 hours of disclosure

A critical flaw in the Marimo open-source Python notebook platform (CVE-2026-39987, CVSS 9.3) is being actively exploited to steal credentials. The vulnerability stems from the /terminal/ws WebSocket endpoint exposing an interactive shell without authentication, giving any unauthenticated client direct command execution at the privilege level of the Marimo process. Versions 0.20.4 and earlier are affected, particularly deployments running in edit mode bound to 0.0.0.0. Version 0.23.0 contains the fix.

Sysdig researchers observed 125 IPs probing the endpoint within 12 hours of disclosure, with the first working exploit landing under 10 hours after the advisory went public — a direct lift from the developer’s own write-up. The attacker behaved like a hands-on operator rather than an automated worm: validating RCE, running basic recon (pwd, whoami, ls), then pivoting hard to .env files for cloud credentials and application secrets, plus SSH key hunting. The entire credential-harvest phase ran under three minutes, with no persistence, miners, or backdoors planted — a smash-and-grab focused on portable secrets.

The incident is a textbook case of disclosure-to-exploit compression and of the risk of exposing developer tooling on shared networks. Operators should upgrade immediately, firewall the endpoint, rotate any secrets that lived on affected hosts, and treat exposed .env and SSH material as compromised.