Marimo Python Notebook Pre-Authentication RCE Now Weaponized with LLM-Driven Post-Exploitation (CVE-2026-39987)

Scope: Marimo Python Notebook Versions 0.20.4 and Earlier

Severity: Red

A critical unauthenticated remote code execution vulnerability (CVSS 9.3) in Marimo's reactive Python notebook framework stems from the /terminal/ws WebSocket endpoint lacking the validate_auth() call present on all other WebSocket endpoints, giving any unauthenticated remote attacker a full interactive PTY shell running with the privileges of the Marimo process often root in containerized deployments via a single WebSocket connection. Active exploitation was first observed by Sysdig just 9 hours and 41 minutes after disclosure on April 8, 2026, with credential theft completed in under 3 minutes; more recently, Sysdig documented a significantly more dangerous variant where attackers deploy an autonomous LLM agent post-exploitation to adaptively search for and harvest AWS keys, SSH keys, and .pgpass files, replay stolen keys to AWS Secrets Manager to retrieve additional SSH private keys, pivot to bastion hosts, and dump complete PostgreSQL database schemas and contents in under two minutes. Organizations must upgrade to Marimo 0.23.0 or later immediately, take any publicly exposed instances offline until patched, rotate all cloud credentials and SSH keys on affected hosts, and review AWS CloudTrail for unauthorized GetSecretValue API calls as an indicator of post-exploitation activity.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.