Cybercriminals are actively exploiting the critical Marimo RCE vulnerability CVE-2026-39987 to steal credentials, deploy malware, and compromise exposed Python notebook environments within hours of public disclosure.
Cybersecurity researchers are warning organizations about active exploitation of a critical remote code execution vulnerability affecting the Marimo Python notebook framework. The flaw, tracked as CVE-2026-39987, enables attackers to gain unauthenticated remote shell access to exposed Marimo instances, leading to credential theft and malware deployment campaigns.
According to researchers, attackers began exploiting the vulnerability less than 10 hours after technical details were publicly disclosed, highlighting the growing speed of modern cyberattacks.
“The first exploitation attempt” was observed within 10 hours.
Critical Flaw in Marimo WebSocket Endpoint
The vulnerability exists in Marimo’s /terminal/ws WebSocket endpoint, which reportedly fails to validate authentication before granting access to a pseudo-terminal shell. This allows remote attackers to directly execute system commands without credentials.
Researchers explained that vulnerable Marimo instances effectively expose a live command shell over the internet, creating severe risks for organizations using the platform in AI, data science, and cloud development environments.
“Anyone who can reach this endpoint can gain direct command-line access.”
Attackers Rapidly Pivot to Credential Theft
Security teams observed attackers quickly moving beyond initial exploitation and pivoting toward credential harvesting operations. Threat actors reportedly searched compromised systems for .env files, SSH keys, API tokens, cloud credentials, and database secrets.
Researchers noted that a complete credential theft operation was executed in under three minutes during monitored attacks against honeypot systems.
The attackers also conducted manual reconnaissance after gaining shell access, indicating that many campaigns involve human-operated intrusions rather than fully automated malware deployment.
Malware Campaigns Leveraging the Flaw
Further investigations revealed that cybercriminals are using the Marimo vulnerability to distribute malware payloads, including NKAbuse variants hosted on Hugging Face Spaces.
Researchers stated that the campaigns combine credential theft, lateral movement attempts, and backdoor installation to compromise broader cloud infrastructure. Some attacks reportedly targeted PostgreSQL and Redis services after the initial breach.
“Attackers are rapidly exploiting CVE-2026-39987.”
AI and Developer Environments at Risk
Marimo is commonly used in data science, AI experimentation, and Python-based notebook workflows, making the vulnerability particularly dangerous for cloud-connected developer environments.
Security researchers warned that exposed notebook platforms often contain privileged cloud credentials, AI model data, API keys, and infrastructure access tokens that attackers can leverage for deeper compromise.
The rapid weaponization of the vulnerability also demonstrates how attackers are increasingly monitoring public advisories and quickly developing exploits for newly disclosed flaws.
Patch and Mitigation Recommendations
Experts strongly recommend upgrading Marimo to version 0.23.0 or later immediately, as the patched release fixes the authentication bypass issue affecting the WebSocket endpoint.
Organizations should also rotate all exposed credentials, review notebook server exposure, audit .env files, and monitor for suspicious WebSocket connections targeting /terminal/ws.
Administrators are additionally encouraged to avoid exposing notebook platforms directly to the public internet without strong authentication and network restrictions.
