AI Agent Hacked a Python Notebook in Under 10 Hours
: A critical Marimo flaw (CVE-2026-39987) gave attackers a full shell with no login, and an LLM agent drained the database in minutes.
In April 2026, a critical flaw in a popular Python notebook tool went from public disclosure to active exploitation in under ten hours. No public exploit code existed yet. Attackers read the advisory, wrote their own exploit, and were inside exposed systems within hours.
The tool is Marimo, an open-source reactive Python notebook used by data scientists, ML engineers, and increasingly by founders building data apps and dashboards. It has around 20,000 stars on GitHub. The bug, tracked as CVE-2026-39987, scored 9.3 out of 10 on severity. CISA later added it to its Known Exploited Vulnerabilities catalog.
What actually broke
Marimo has a built-in terminal feature. It runs over a WebSocket connection at an address ending in /terminal/ws. Other parts of the app correctly checked whether a user was logged in before granting access. This one endpoint forgot to.
The result was simple and severe. Anyone who could reach that address got a full command-line shell on the server. No password. No login. The same level of access as the program itself, which in many container setups means root.
Where the AI comes in
Plenty of breaches stop at "attacker gets a shell." This one is notable for what happened next.
This is one of the first observed intrusions where an AI agent handled the post-breach work end to end. It is a preview of where attacks are heading.
What this means for vibe-coded apps
Notebook environments like Marimo and Jupyter rarely go through security review. A researcher or an early hire spins one up to ship a quick dashboard, gives it broad cloud permissions so it "just works," and exposes it to the internet. That convenience is exactly what got drained here.
If you are building products with AI coding tools, the same pattern shows up everywhere. Tools get deployed fast. Permissions get set wide to avoid friction. Endpoints get exposed without anyone checking who can reach them. The Marimo flaw was one missing authentication check on one endpoint. That was all it took.
The speed is the other lesson. The gap between a flaw becoming public and someone exploiting it is now measured in hours, not days. Attackers monitor every advisory and use AI to weaponize them quickly. Planning to patch over the weekend is no longer a safe bet.
What to do
Start with an inventory. List every notebook, dashboard, and internal tool you have running, and confirm which ones are reachable from the internet. Keep tools like Marimo on internal networks behind real authentication. Stop storing production secrets and .env files inside notebook environments, since a single shell turns them into a shopping list. Run services as a non-root user with the narrowest permissions they need. And if you use Marimo, update to version 0.23.0 or later, which fixes the flaw.
Most teams do not know which of their AI-built tools are quietly exposed until someone tests them. That is the work we do at VibeAudits. We manually audit vibe-coded apps and AI agent deployments the way a real attacker would, before a real one does. If you want to know what your stack actually exposes, get in touch.