Marimo under critical vulnerability CVE-2026-39987 exposes secrets in minutes

The data science and development community in Python has awoke with a disturbing news: a few hours after a serious vulnerability was made public in Marimo - a very popular open source reactive notebooks environment among data scientists, researchers and application creators - attackers were already taking advantage of that failure to enter and extract secrets.

Vulnerability, recorded as CVE-2026-39987, was qualified by GitHub with a critical score (high CVSS close to 9.3 / 10) and affects pre-correction versions of Marimo. In essence, an endpoint of WebSocket exposed under the route / terminal / ws allowed access to an interactive terminal without verification of credentials, which opened the door to remote execution of commands with the same permissions as the Marimo process.

The project developers published a warning and then released a corrected version, the 0.23.0 to mitigate the problem. The warning also specified that the risk was particularly relevant to those who deploy Marimo in editable mode or expose it to shared networks using the option --host 0.0.0.0 in editing mode.

A technical report from the Sysdig cloud security firm documents how exploitation moved from theory to practice in record time. According to his analysis, in the first 12 hours following the publication of the details, more than 100 IP addresses conducted scans in search of vulnerable facilities, and in less than 10 hours the first operating session was observed that specifically stole credentials and secrets from the system. The Sysdig report describes step by step how the attackers validated the failure, connecting to the vulnerable endpoint and running a small script to check the remote execution before disconnect and return minutes later for more detailed manual exploration ( Sysdig report).

What distinguishes this attack was not an indiscriminate wave of automatic scripts, but the action of an operator who, according to the researchers, carried out a methodical and directed operation. In the active session, basic environmental recognition commands (such as pwd, whoami and ls), search for sensitive files and, very quickly, reading the .env file to extract environment variables, cloud keys and application secrets were executed. All that credentials access was completed in less than three minutes, and the attacker's recurring session suggests a clear interest in valuable information rather than long-term malware installation.

The nature of the access makes it easier to understand why the damage can be immediate: getting environment variables or SSH keys from a development environment can allow side movements, access to cloud resources or exfiltration of production data. Although no attempt to continue or deploy miners or back doors was detected in this case, the ability to take secrets within minutes makes vulnerability a priority for anyone with Marimo exposed.

If you are an administrator or developer using Marimo, the measures to be taken are clear and urgent. First, update to version 0.23.0 must be the immediate action to restore authentication checks in the service. If the update is not immediately feasible, an effective mitigation is block or disable endpoint / terminal / ws in proxy or firewall, and avoid exposing the service to public networks. In addition, it is appropriate to monitor WebSocket connections to that route and to rotate any secrets that may have been exposed (environment variables, cloud access keys, API tokens, etc.).

The technical explanation and timing of the attack are a lesson about the exposure window that exists between responsible disclosure and the effective patch: the technical information, although essential for the teams to be able to park, also comes to the hands of actors with the ability to exploit failures within hours. This is why many organizations combine fast patches with additional network controls and automated processes to detect exploration and exfiltration patterns.

Marimo is not a minor project: its popularity in GitHub - with tens of thousands of stars and various forks - means that a lot of experimental environments and prototypes can be affected if recommendations are not implemented. You can review the official project repository and security warning on your GitHub page for more technical details about the patch and the conditions that trigger the risk: Marimo repository and safety advisory published by the maintainer.

In short, this incident recalls two things that should be obvious and often not: development tools and notebooks environments are not safe by default when exposed, and the rate of reaction to a vulnerability can make the difference between a successful patch and the commitment of sensitive secrets. If you manage to deploy Marimo, prioritize the update, review network access and assume that any exposed secrets must be rotated.

To follow the case and deepen the technical details of the attack, the main sources are the NVD database for the entry of the CVE ( CVE-2026-39987), warning and patch in the Marimo repository ( release 0.23.0) and the forensic and chronological analysis published by Sysdig ( Sysdig report), which provide the information necessary to understand what happened and how to protect themselves.