Marimo RCE Exploited in 10 Hours, Exposing AI-Accelerated Attack on Data Science Infrastructure
Critical pre-authentication vulnerability in open-source Python notebook weaponised within hours of disclosure, threatening ML pipelines and cloud credentials across enterprise data operations.
A critical remote code execution vulnerability in Marimo, an open-source Python notebook platform, was exploited 9 hours 41 minutes after public disclosure on 8 April 2026, marking one of the fastest weaponisation timelines on record for data science infrastructure.
CVE-2026-39987 (CVSS 9.3) affects all versions of Marimo through 0.20.4, allowing unauthenticated attackers to execute arbitrary system commands via an unprotected WebSocket endpoint. The vulnerability resides in /terminal/ws, which lacks authentication validation entirely — while Marimo’s standard /ws endpoint correctly implements validate_auth(), the terminal endpoint skips this check, according to DailyCVE. Attackers exploited this flaw to gain full PTY shell access and execute a credential theft operation in under three minutes.
The AI-Assisted Weaponisation Cycle
No public proof-of-concept code existed when the first exploitation attempt occurred. The attacker built a working exploit from the advisory description alone, suggesting automated analysis of Security disclosures. Sysdig Threat Research Team, which detected the attack via honeypot infrastructure, observed that threat actors are now monitoring advisory feeds broadly and using AI to parse vulnerability descriptions into functional exploits.
“The speed of exploitation seen by the Sysdig TRT suggests that threat actors are monitoring advisory feeds broadly, not just for high-profile targets, and are capable of weaponizing vulnerabilities in niche software within hours of disclosure,” per Sysdig.
The median time-to-exploit has collapsed from 771 days in 2018 to hours in 2024. By 2023, 44% of exploited vulnerabilities were weaponised within 24 hours of disclosure, according to the Zero Day Clock Project. The Marimo incident fits a pattern: on 17 March 2026, CVE-2026-33017 in Langflow — another notebook platform with a CVSS 9.3 rating — was exploited within 20 hours, per CSO Online. In that case, attackers harvested API keys for OpenAI, Anthropic, and AWS from compromised ML pipelines.
“It also implies that threat actors are using AI to analyze vulnerability advisory descriptions, build working exploits, and accelerate their operations.”
— Sysdig Threat Research Team
Supply Chain Exposure Across Data Science Stacks
Marimo holds ~19,600 GitHub stars and is deployed across data science, ML experimentation, and internal analytics workflows, often in containerised environments with broad network access for collaboration. These platforms are routinely configured with database connections, cloud credentials, and access to sensitive datasets — making a single compromised instance a potential beachhead for lateral movement.
“Platforms like marimo, Jupyter, and other notebook tools are frequently deployed by research teams outside of standard security review processes and may be running with broad cloud credentials,” Sysdig noted. The credential theft observed in the honeypot attack follows the pattern seen in Langflow: manual reconnaissance after initial compromise, exfiltration of API keys, and potential cross-ecosystem propagation.
Supply Chain attacks doubled in 2025, with global losses reaching $60 billion, and 70% of organisations faced supply chain incidents that year, according to Bastion. The integration of notebook platforms into Jupyter ecosystems and enterprise ML operations at cloud providers including Databricks and Mode Analytics extends the attack surface beyond individual deployments.
- Pre-authentication RCE in Marimo ≤0.20.4 exploited within 10 hours of 8 April advisory
- No public PoC existed — attacker built exploit from advisory text alone, indicating AI-assisted tooling
- Credential theft completed in under 3 minutes via full PTY shell access
- 44% of exploited vulnerabilities weaponised within 24 hours by 2023, down from 771-day median in 2018
- Marimo integrations with Jupyter and enterprise ML platforms create supply chain risk
Patch Adoption as Primary Defense
Marimo maintainers released version 0.23.0 on 9 April, addressing the authentication bypass. The advisory describes the flaw: “The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands,” per The Hacker News.
Organisations face a stark choice: rapid patch adoption, which carries its own operational risk in production ML pipelines, or delayed upgrades that leave credentials exposed. Network segmentation can reduce attack surface, but many data science teams deploy notebooks with broad internet access to facilitate collaboration.
“The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity,” a cloud security analyst told The Hacker News.
Marimo is a modern alternative to Jupyter, offering reactive Python notebooks favoured for ML experimentation and analytics. Unlike traditional notebooks, Marimo treats cells as interconnected nodes, automatically re-executing dependent code when inputs change. This architecture makes it popular for production-adjacent workflows where data scientists iterate rapidly on models with live cloud integrations.
What to Watch
Track patch adoption velocity across cloud providers and ML platform vendors. Databricks, Mode Analytics, and other platforms that integrate Marimo or similar notebook tools will likely issue security advisories if vulnerable versions are detected in customer environments. Monitor credential rotation activity from compromised instances — API key leakage from data science infrastructure can propagate across AWS, GCP, and Azure environments. The gap between disclosure and exploitation will continue to narrow as AI-assisted tooling matures; organisations without sub-24-hour patch cycles for internet-facing development infrastructure are now operating at structural disadvantage.