Securityaffairs.Co
Critical RCE Vulnerability in Marimo Exploited Within 10 Hours of Disclosure
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical pre-authentication remote code execution (RCE) vulnerability in Marimo, an open-source Python notebook platform, was disclosed on April 8, 2026, and exploited within 9 hours and 41 minutes. The vulnerability, tracked as CVE-2026-39987, allows unauthenticated attackers to gain full control of affected Marimo instances by connecting to the terminal WebSocket endpoint (/terminal/ws) without any credentials. The flaw affects all versions prior to 0.23.0, with a CVSS score of 9.3. Attackers were able to execute arbitrary commands and exfiltrate sensitive information, including AWS access keys, in under three minutes. The rapid exploitation indicates that threat actors are actively monitoring vulnerability disclosures for even niche software. Marimo has approximately 20,000 GitHub stars and is primarily used by data scientists and developers. Users are advised to upgrade to version 0.23.0 immediately to mitigate the risk.
Key Points: • The Marimo RCE vulnerability was exploited within 10 hours of its disclosure. • Attackers gained full control of systems via unauthenticated access to a specific WebSocket endpoint. • Sensitive credentials were stolen in under three minutes during the exploitation process.