Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours

A critical remote code execution (RCE) vulnerability in the Marimo open-source Python notebook platform was disclosed on April 8, 2026, allowing attackers to gain full shell access through a WebSocket connection without authentication. Despite Marimo's relatively small user base, the Sysdig Threat Research Team observed exploitation attempts within 9 hours and 41 minutes of the advisory's publication, highlighting how attackers rapidly leverage such vulnerabilities even in niche software. The vulnerability, tracked as GHSA-2679-6mx9-h9xc, involved the /terminal/ws WebSocket endpoint, which lacked authentication checks. Attackers quickly exploited this, executing a complete credential theft operation in under 3 minutes by accessing environment variables and sensitive credentials. The incident underscores the need for organizations to monitor advisories beyond CVE databases and high-profile software, as any internet-facing application with a critical vulnerability is at risk shortly after disclosure. Measures like runtime detection, network segmentation, and swift credential rotation are crucial as exploitation timelines continue to shrink, with attackers potentially using AI to accelerate their operations.