Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

Summary

A critical pre-authenticated remote code execution vulnerability (CVE-2026-39987, CVSS 9.3) in the open-source Marimo Python notebook was exploited within 10 hours of public disclosure. The flaw exists in the /terminal/ws WebSocket endpoint which lacks authentication validation, allowing unauthenticated attackers to obtain a full PTY shell and execute arbitrary commands. Sysdig observed the first exploitation attempt 9 hours and 41 minutes after disclosure, with the attacker manually harvesting credentials from .env files and searching for SSH keys.

Full text

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Ravie LakshmananApr 10, 2026Vulnerability / Threat Intelligence A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. The issue has been addressed in version 0.23.0. "The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands," Marimo maintainers said in an advisory earlier this week. "Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification." In other words, attackers can obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection without requiring any credentials. Sysdig said it observed the first exploitation attempt targeting the vulnerability within 9 hours and 41 minutes of it being publicly disclosed, with a credential theft operation executed in minutes, despite there being no proof-of-concept (PoC) code available at the time. The unknown threat actor behind the activity is said to have connected to the /terminal/ws WebSocket endpoint on a honeypot system and initiated manual reconnaissance to explore the file system and, minutes later, systematically attempted to harvest data from the .env file, as well as search for SSH keys and read various files. The attacker returned to the honeypot an hour later to access the contents of the .env file and check if other threat actors were active during the time window. No other payloads, like cryptocurrency miners or backdoors, were installed. "The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment," the cloud security company said. "The attacker connected four times over 90 minutes, with pauses between sessions. This is consistent with a human operator working through a list of targets, returning to confirm findings." The speed at which newly disclosed flaws are being weaponized indicates that threat actors are closely keeping an eye on vulnerability disclosures and quickly exploiting them during the time between disclosure and patch adoption.This, in turn, has shrunk the time defenders must respond once a vulnerability is publicly announced. "The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, Credential Theft, cybersecurity, Open Source, Python, remote code execution, Threat Intelligence, Vulnerability, WebSocket Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• cve — CVE-2026-39987

Entities