Critical RCE Vulnerability in Marimo Exploited Within 10 Hours of Disclosure

Critical RCE Vulnerability in Marimo Exploited Within 10 Hours of Disclosure

First seen 12 Apr 2026, 14:46 UTC Securityaffairs.CoBleepingcomputernvd.nist.govGbhackersHeise.De+12 87% similarity 78.0

Article Content

Browse articles
ThreatCluster

A critical pre-authentication remote code execution (RCE) vulnerability in Marimo, an open-source Python notebook platform, was disclosed on April 8, 2026, and exploited within 9 hours and 41 minutes. The vulnerability, tracked as CVE-2026-39987, allows unauthenticated attackers to gain full control of affected Marimo instances by connecting to the terminal WebSocket endpoint (/terminal/ws) without any credentials. The flaw affects all versions prior to 0.23.0, with a CVSS score of 9.3. Attackers were able to execute arbitrary commands and exfiltrate sensitive information, including AWS access keys, in under three minutes. The rapid exploitation indicates that threat actors are actively monitoring vulnerability disclosures for even niche software. Marimo has approximately 20,000 GitHub stars and is primarily used by data scientists and developers. Users are advised to upgrade to version 0.23.0 immediately to mitigate the risk.

Key Points: • The Marimo RCE vulnerability was exploited within 10 hours of its disclosure. • Attackers gained full control of systems via unauthenticated access to a specific WebSocket endpoint. • Sensitive credentials were stolen in under three minutes during the exploitation process.

ThreatCluster AI

Timeline

2026-03-20
CVE-2026-33017 published
2026-04-08
Marimo vulnerability disclosed
2026-04-09
CVE-2026-39987 published
2026-04-09
First exploitation attempt observed
2026-04-12
Marimo version 0.23.0 released to fix the vulnerability

Community

Browse all →