Critical Marimo Flaw Exploited Hours After Public Disclosure

Summary

A critical unauthenticated remote code execution vulnerability (CVE-2026-39987, CVSS 9.3) in the open-source Python notebook Marimo was exploited by a threat actor just 9 hours and 41 minutes after public disclosure. The attacker built a functional exploit directly from the advisory, gained shell access, and exfiltrated credentials. Sysdig observed the attack from one IP address with 125 others conducting reconnaissance; the entire operation took under three minutes.

Full text

A threat actor built an exploit for a critical-severity vulnerability in Marimo and started using it in attacks roughly nine hours after the bug’s public disclosure, cloud security firm Sysdig reports. Marimo is an open source reactive notebook for Python designed to ensure that code, outputs, and program state remain consistent. It has approximately 20,000 stars on GitHub. On April 8, the platform’s maintainers disclosed CVE-2026-39987 (CVSS score of 9.3), an unauthenticated remote code execution (RCE) flaw rooted in the lack of authentication validation in the terminal WebSocket endpoint. The issue could allow attackers to obtain a full interactive shell without authentication, leading to arbitrary system command execution. “Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification,” Marimo’s maintainers explain. According to Sysdig, the first exploitation of the bug was observed 9 hours and 41 minutes after the advisory was published. Although no proof-of-concept (PoC) had been published, the attacker created a functional exploit and used it to steal credentials.Advertisement. Scroll to continue reading. “The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment,” Sysdig notes. The cybersecurity firm says it has observed exploitation activity from a single IP address, but an additional 125 addresses were involved in reconnaissance operations, such as port scanning and HTTP probing. As part of the attack caught by a Sysdig honeypot, the threat actor connected to the vulnerable terminal WebSocket endpoint, performed manual reconnaissance two minutes later, and returned six minutes later to exfiltrate credential-containing files. Furthermore, the attacker was seen attempting to read every file in the targeted directory and searching for SSH keys. The entire operation, Sysdig says, was over within three minutes. All Marimo releases up to version 0.20.4 are affected by CVE-2026-39987. Users are advised to update to version 0.23.0 or newer, which contains patches for the bug. Related: Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover Related: Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities Related: Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Related: RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Google Warns of New Campaign Targeting BPOs to Steal Corporate Data300,000 People Impacted by Eurail Data BreachRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker Crosshairs Latest News MITRE Releases Fight Fraud FrameworkGoogle Rolls Out Cookie Theft Protections in ChromeMicrosoft Finds Vulnerability Exposing Millions of Android Crypto Wallet UsersApple Intelligence AI Guardrails Bypassed in New AttackCan We Trust AI? No – But Eventually We MustGoogle API Keys in Android Apps Expose Gemini Endpoints to Unauthorized AccessPalo Alto Networks, SonicWall Patch High-Severity VulnerabilitiesThe Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveFinite State has named Ann Miller as Vice President of Marketing.Yael Nardi has joined Minimus as Chief Business Officer.John Clancy has become Chief Executive Officer at Bitsight.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-39987
• malware — Marimo RCE exploit

Entities