Critical RCE Vulnerability in Marimo Exploited Within 10 Hours of Disclosure

Severity: High (Score: 78.0)

Sources: Cybersecuritynews, Csoonline, www.sysdig.com, Heise.De, nvd.nist.gov

Summary

A critical pre-authentication remote code execution (RCE) vulnerability in Marimo, an open-source Python notebook platform, was disclosed on April 8, 2026, and exploited within 9 hours and 41 minutes. The vulnerability, tracked as CVE-2026-39987, allows unauthenticated attackers to gain full control of affected Marimo instances by connecting to the terminal WebSocket endpoint (/terminal/ws) without any credentials. The flaw affects all versions prior to 0.23.0, with a CVSS score of 9.3. Attackers were able to execute arbitrary commands and exfiltrate sensitive information, including AWS access keys, in under three minutes. The rapid exploitation indicates that threat actors are actively monitoring vulnerability disclosures for even niche software. Marimo has approximately 20,000 GitHub stars and is primarily used by data scientists and developers. Users are advised to upgrade to version 0.23.0 immediately to mitigate the risk. Key Points: • The Marimo RCE vulnerability was exploited within 10 hours of its disclosure. • Attackers gained full control of systems via unauthenticated access to a specific WebSocket endpoint. • Sensitive credentials were stolen in under three minutes during the exploitation process.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2026-33017 (cve)
• CVE-2026-39987 (cve)
• 49.207.56.74 (ipv4)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1046 - Network Service Discovery (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• Marimo (platform)
• Python (tool)