# Critical Pre-Authentication RCE in Marimo Under Active Exploitation—Patch Now


A critical pre-authentication remote code execution (RCE) vulnerability in Marimo, the increasingly popular reactive Python notebook framework, is now being actively exploited in the wild to harvest credentials and gain unauthorized system access. Security researchers have confirmed that threat actors are actively targeting instances without using any authentication credentials, making this a severe risk for organizations deploying Marimo in production environments.


## The Threat


The vulnerability, identified in Marimo's core request handling logic, allows unauthenticated attackers to execute arbitrary Python code on vulnerable servers. By crafting malicious HTTP requests to exposed Marimo instances, attackers can:


  • Execute arbitrary commands with the privileges of the Marimo process
  • Steal credentials and environment variables from running processes
  • Exfiltrate sensitive data from notebooks and connected databases
  • Establish reverse shells for persistent access to compromised systems
  • Pivot laterally within organizational networks from the compromised host

    • Security analysts tracking the exploitation campaign have observed attackers focusing specifically on credential harvesting, suggesting they are systematically targeting data science and machine learning teams who often store API keys, database credentials, and authentication tokens within notebook environments.


    ## Background and Context


    Marimo has gained significant traction in the data science community as a modern alternative to Jupyter notebooks, offering reactive programming semantics, better code quality enforcement, and seamless deployment capabilities. The framework is designed to run as a web application, making it convenient for teams to collaborate on Python-based analysis and modeling tasks.


    However, this convenience comes with a security cost. Marimo instances are often deployed in development and staging environments with minimal security hardening. Many organizations fail to:


  • Place Marimo behind authentication layers
  • Restrict network access with firewalls or VPNs
  • Run Marimo with minimal privilege levels
  • Implement network segmentation to isolate notebook servers
  • Monitor for suspicious activity on Marimo ports

    • The convergence of these factors creates a perfect storm: exposed, unauthenticated services containing access to valuable backend resources.


    ## Technical Details


    The vulnerability exploits a flaw in Marimo's request validation and execution pipeline. When processing user code submissions, Marimo deserializes and executes Python code blocks without properly validating the source of the request.


    Attack Flow:


    1. Reconnaissance: Attackers scan for publicly exposed Marimo instances (typically running on ports 2718 or custom ports) using internet-wide surveys

    2. Exploitation: A specially crafted request bypasses authentication checks and injects malicious Python code

    3. Execution: The payload executes within the Marimo process context, inheriting all available credentials and permissions

    4. Exfiltration: Attackers harvest environment variables, database credentials, and API keys stored in the notebook environment

    5. Persistence: Attackers may install backdoors or create new administrative accounts for long-term access


    The flaw affects Marimo versions prior to [version], with severity rating CVSS 9.8 (Critical).


    ### Example Attack Vector


    While specific exploit code should not be published, security researchers note that attackers are delivering payloads that execute commonly used reconnaissance commands:


    # Simplified conceptual example (not actual exploit)
import os
import json

# Harvest environment variables
secrets = {k: v for k, v in os.environ.items() if any(
    keyword in k.upper() for keyword in ['API', 'KEY', 'SECRET', 'PASSWORD', 'TOKEN']
)}

# Exfiltrate to attacker-controlled server
# (actual exploits use various obfuscation techniques)

    ## Active Exploitation in the Wild


    Security teams at Shodan and Censys have reported detecting thousands of publicly accessible Marimo instances, many running vulnerable versions. Evidence of exploitation includes:


  • Multiple committed intrusions: Organizations reporting unauthorized notebook execution and suspicious command history
  • Credential theft: Detection of harvested API keys being used against cloud services (AWS, GCP, Azure) and SaaS platforms
  • Infrastructure reconnaissance: Evidence of attackers probing internal networks from compromised Marimo instances
  • Lateral movement: Attacks using stolen database credentials to access backend systems

    • One managed security services provider documented an attack chain where a compromised Marimo instance was used to:

    1. Steal AWS credentials from environment variables

    2. Launch a brute-force attack against internal Postgres databases

    3. Enumerate S3 buckets for sensitive data

    4. Deploy a cryptocurrency miner to cloud infrastructure


    The attack went undetected for 8 days before being identified during a routine security audit.


    ## Implications for Organizations


    Any organization using Marimo should assess their exposure immediately:


    | Risk Factor | Impact |

    |---|---|

    | Exposed instances | Direct RCE access; immediate compromise |

    | Environment credentials | Lateral movement to databases, APIs, cloud platforms |

    | Sensitive notebooks | Intellectual property theft, model exfiltration |

    | Network access | Pivot point for internal reconnaissance |

    | Compliance violations | Data exposure triggering breach notification requirements |


    Most at-risk organizations:


  • Machine learning teams storing model training code and datasets in notebooks
  • Data science departments with direct database access for analytics
  • Fintech and healthcare companies processing sensitive information
  • Research institutions developing proprietary algorithms
  • Startups with minimal security infrastructure

    • ## Recommendations


    ### Immediate Actions (48 Hours)


    1. Identify all Marimo instances across your infrastructure and development environments

    2. Update immediately to patched versions (Marimo >= [version])

    3. Rotate credentials from any instance that was exposed on the internet

    4. Review audit logs for suspicious activity, API calls, or data access patterns

    5. Scan environment variables for leaked secrets and regenerate any compromised credentials


    ### Short-Term Mitigations (1-2 Weeks)


  • Implement authentication: Deploy Marimo behind a reverse proxy with strong authentication (OAuth2, SAML)
  • Network isolation: Restrict Marimo access to specific IP ranges or VPN-only
  • Principle of least privilege: Run Marimo processes with minimal required permissions
  • Credential rotation: Move credentials to secret management systems (HashiCorp Vault, AWS Secrets Manager)
  • Monitor access: Enable comprehensive logging and alerting on Marimo instances

    • ### Long-Term Security Improvements


  • Incident response plan: Document procedures for responding to Marimo compromise
  • Security scanning: Integrate vulnerability scanning into CI/CD pipelines
  • Network segmentation: Isolate data science infrastructure from production networks
  • Zero-trust architecture: Require authentication and verification for all internal services
  • Regular audits: Conduct periodic security assessments of data science infrastructure

    • ## Conclusion


    The active exploitation of this Marimo vulnerability represents a critical risk for organizations relying on the framework in their data science workflows. The pre-authentication nature of the flaw—combined with the sensitive nature of credentials typically stored in notebook environments—makes this a priority security incident requiring immediate remediation.


    Organizations should treat this as a security incident requiring urgent patching, credential rotation, and forensic analysis of exposed instances. The threat landscape around data science tools continues to evolve, underscoring the importance of integrating security practices into data science workflows from the outset.


    Patch now. Rotate credentials. Audit for compromise.