Critical Marimo Vulnerability: Hackers Steal Cloud Keys in Minutes via Open Terminal
A critical vulnerability CVE-2026-39987 in the Marimo Python notebook platform allowed attackers to gain unauthorized remote access to systems. Attacks began just 10 hours after the issue was disclosed, targeting the theft of cloud service credentials.
Technical Details of the Issue
The vulnerability affects Marimo versions prior to 0.20.4 and is linked to the WebSocket endpoint /terminal/ws. This endpoint provides an interactive terminal without any access controls, granting the attacker the privileges of the current process. The CVSS score is 9.3 out of 10, highlighting the severe risk.
Developers identified the issue on April 8, 2026, and promptly released a patch in version 0.23.0. However, within the first 12 hours following publication, Sysdig detected scanning activity from 125 IP addresses. The first exploitation occurred in less than 10 hours.
Exploitation Scenario and Attack Speed
Attackers used a simple sequence:
- Connect to the WebSocket.
- Check environment using commands
pwd,whoami,ls. - Search for
.envfiles and SSH keys. - Dump environment variables containing cloud service keys.
The entire process took approximately 180 seconds. The attacks were manual: without installing malware or miners, aiming for rapid data extraction. One IP address returned an hour later to re-check.
Risks for Developers and Data Science
Marimo is popular among data analysts and machine learning specialists for its interactive Python notebooks. The vulnerability is particularly critical when running with --host 0.0.0.0, which opens access from external networks. This leads to the compromise of AWS, Google Cloud, or other service keys, potentially causing data breaches, financial losses, or chain attacks.
Protection Measures and Recommendations
- Update to version 0.23.0 immediately.
- Restrict network access to Marimo.
- Monitor connections to
/terminal/ws. - Rotate all potentially compromised keys.
- Use VPNs or firewalls for editing.
Key Takeaways
- The vulnerability allows RCE without authentication, endangering thousands of developers.
- Attacks started 10 hours post-disclosure—exploitation speed is increasing.
- Primary target is cloud service secrets in
.envfiles. - A patch has been released, but scanning continues from hundreds of IPs.
- The incident highlights the risks of open tools for data science.
Context and Industry Implications
Such vulnerabilities are typical for development tools where convenience conflicts with security. In 2025–2026, similar issues were recorded in Jupyter and Streamlit, leading to a 40% increase in attacks according to Sysdig. Consequences include companies losing control over cloud resources, strengthening the need for zero-trust models. For Europe and Latin America, this is relevant due to data science migration to the cloud—breaches could violate GDPR or local regulations.
— Editorial Team
No comments yet.