Zero to Exploit in 10 Hours: Critical RCE Flaw in Marimo Python Notebooks Under Active Attack

A critical pre-authentication Remote Code Execution (RCE) vulnerability in the Marimo open-source Python notebook has seen active exploitation less than half a day after its public disclosure, highlighting the extreme speed of modern threat actors.

SAN FRANCISCO, CA — Security teams are racing to patch installations of Marimo, a reactive Python notebook popular among data scientists and AI researchers, following the discovery of CVE-2026-39987. The vulnerability allows unauthenticated attackers to execute arbitrary code with the privileges of the Marimo process, effectively granting full control over the underlying host.

What has alarmed the industry is the "Exploitation Gap" — the time between the public vulnerability disclosure and the first observed attack. Sysdig researchers reported that honeypots detected exploitation attempts just 10 hours after the flaw was made public, underscoring how automated scanning tools have eliminated the "grace period" for security patching.

The Technical Breakdown of CVE-2026-39987

The flaw exists in how Marimo handles specific web requests to its backend server. Marimo notebooks are designed to be interactive, often served over a local or remote web interface. Researchers discovered that a lack of proper input validation in the file-path handling logic allowed for a "Path Traversal" style attack.

By sending a specially crafted HTTP request, an attacker can trick the server into executing malicious Python scripts. Because the flaw is pre-authentication, an attacker does not need a username or password to trigger the exploit; they only need network access to the Marimo server.

The AI and Data Science Target

Marimo is frequently used in AI development and data science environments, which often handle sensitive datasets, API keys (such as OpenAI or AWS credentials), and intellectual property.

Key details of the exploit include:

• Mass Scanning: Attackers are using automated tools to scan the public internet for default Marimo ports (typically 10101).
• Root in One Request: The exploit is "single-shot," meaning it requires only one request to achieve full system compromise.
• Honeypot Data: Observed attacks have attempted to deploy cryptocurrency miners and reverse shells, allowing the attackers to maintain a persistent "backdoor" into the research environment.

Marimo has released a security patch in version 0.10.16. Organizations using Marimo are urged to update immediately or, at a minimum, ensure their notebook instances are not exposed to the public internet and are protected behind a VPN or robust firewall.

The CyberSignal Analysis

Signal 01 — The Disappearing Patch Window

The 10-hour exploitation window for CVE-2026-39987 is a warning shot for all security teams. In 2026, the "weekend patch cycle" is officially dead. If your Security Operations center doesn't have an automated way to detect and shield newly disclosed critical vulnerabilities within hours, you are essentially gambling with your infrastructure.

Signal 02 — The Risk of the "Niche" Supply Chain

Marimo is a fantastic tool, but it is a "niche" part of the data science supply chain compared to giants like Jupyter. Niche tools often fly under the radar of corporate IT departments. This breach proves that Third Party Risk assessments must extend deep into the data science stack, where security is often sacrificed for the sake of research velocity.

Sources