Critical RCE Vulnerability in Marimo Exploited Within Hours of Disclosure

Severity: High (Score: 78.0)

Sources: Securityaffairs.Co, www.sysdig.com, nvd.nist.gov, Bleepingcomputer

Summary

On April 8, 2026, a critical vulnerability in the Marimo open-source Python notebook platform was disclosed, tracked as CVE-2026-39987. This pre-authentication remote code execution (RCE) flaw allows attackers to gain a full interactive shell without credentials via the '/terminal/ws' WebSocket endpoint. Within 10 hours of the advisory, attackers began exploiting the vulnerability, leading to credential theft operations that were executed in under three minutes. The Sysdig Threat Research Team reported that the first exploitation attempt occurred just 9 hours and 41 minutes after the advisory was published. The vulnerability affects Marimo versions 0.20.4 and earlier, and the developers released version 0.23.0 to address the issue. The rapid exploitation highlights the capability of threat actors to weaponize vulnerabilities in niche software quickly. Marimo, with approximately 20,000 GitHub stars, is primarily used by data scientists and developers. Users are urged to upgrade immediately to mitigate risks. Key Points: • CVE-2026-39987 allows RCE without authentication in Marimo versions 0.20.4 and earlier. • First exploitation was observed just 9 hours and 41 minutes after the vulnerability disclosure. • Marimo users are advised to upgrade to version 0.23.0 to protect against this critical flaw.

Key Entities

• Data Breach (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2026-33017 (cve)
• CVE-2026-39987 (cve)
• 49.207.56.74 (ipv4)
• T1003 - OS Credential Dumping (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1046 - Network Service Discovery (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• Marimo (platform)