Protect.Computer
NEWS

Critical RCE Flaw in Marimo Python Notebooks Actively Exploited (CVE-2026-39987)

ยท 1 min read
Critical RCE Flaw in Marimo Python Notebooks Actively Exploited (CVE-2026-39987)

A critical, unauthenticated remote code execution (RCE) vulnerability in the popular Marimo open-source Python notebook environment is being actively exploited in the wild. Disclosed on April 10, 2026, the vulnerability was reportedly exploited by threat actors within just 10 hours of its public disclosure to steal credentials and gain unauthorized access to data science environments.

What Happened

The vulnerability, tracked as CVE-2026-39987, carries a critical CVSS score of 9.3. It stems from improper input validation and unsafe deserialization within the Marimo backend, allowing an unauthenticated attacker to execute arbitrary Python code on the host system running the notebook server.

Marimo, known for its reactive and reproducible notebook capabilities, has seen significant adoption in data science and AI development pipelines. Because notebook environments often have access to sensitive data, cloud credentials, and internal networks, this vulnerability poses a severe risk to organizations. Threat actors are actively scanning for exposed Marimo instances to deploy post-exploitation tools, steal environment variables (such as AWS keys and API tokens), and potentially pivot further into corporate networks.

All versions of Marimo up to and including 0.20.4 are vulnerable. The maintainers have rushed out an emergency patch in version 0.23.0 to address the flaw.

How to check if you’re affected

To determine if your environment is exposed and to secure your systems, follow these steps immediately:

  1. Check your Marimo version: Run the command marimo --version or pip show marimo in your terminal or virtual environment. If the version is 0.20.4 or lower, you are vulnerable.
  2. Update Marimo: Immediately upgrade to the patched version by running pip install --upgrade marimo>=0.23.0.
  3. Audit exposed instances: Ensure that your Marimo instances are not exposed directly to the public internet. Notebooks should always be placed behind strict authentication gateways, VPNs, or internal networks.
  4. Review logs and rotate credentials: Check your server and application logs for unusual code execution or unauthorized access. Because exploits have been actively observed in the wild stealing credentials, it is highly recommended to rotate any API keys, database passwords, or cloud credentials that were accessible within the Marimo environment’s variables or file system.

Sources

Related reading

News
Hackers exploit Marimo flaw to deploy NKAbuse malware

A recently discovered vulnerability in Marimo is being exploited by attackers to deploy the NKAbuse malware, posing a significant risk to affected systems.

News
Critical Adobe Acrobat Vulnerability (CVE-2026-34621) Actively Exploited

A critical prototype pollution vulnerability in Adobe Acrobat and Reader is actively being exploited, potentially allowing unauthenticated attackers to execute arbitrary code.

News
Rockstar Games Confirms Data Breach Involving Snowflake Server Vulnerability

Rockstar Games Confirms Data Breach Involving Snowflake Server Vulnerability

News
Emergency Adobe Acrobat and Reader Update Fixes Zero-Day Exploited Since 2025

Emergency Adobe Acrobat and Reader Update Fixes Zero-Day Exploited Since 2025