Pre-authenticated RCE in Marimo exploited within 10 hours of advisory
Summary
Hide ▲
Show ▼
A pre-authenticated remote code execution (RCE) vulnerability in Marimo, an open-source Python notebook platform, was exploited in the wild within 9 hours and 41 minutes of public disclosure. The flaw, tracked as CVE-2026-39987 (CVSS 9.3), affects all versions of Marimo prior to 0.23.0 and resides in the unauthenticated /terminal/ws WebSocket endpoint, which lacks authentication validation. Attackers exploited the endpoint to obtain full PTY shells and execute arbitrary system commands without credentials. Targeted systems included internet-facing Marimo instances, where threat actors performed manual reconnaissance, harvested sensitive files such as .env and SSH keys, and returned to confirm findings—demonstrating rapid, human-driven exploitation without PoC availability.
Timeline
-
10.04.2026 10:37 1 articles · 7h ago
CVE-2026-39987 exploited within 10 hours of Marimo advisory
Within 9 hours and 41 minutes of public disclosure of CVE-2026-39987, threat actors exploited the pre-authenticated RCE in Marimo’s /terminal/ws WebSocket endpoint to obtain full PTY shells on exposed instances. Attackers manually explored compromised systems, retrieved .env files and SSH keys, and returned to confirm findings, indicating human-operated reconnaissance and data harvesting rather than automated payload deployment.
Show sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37
Information Snippets
-
CVE-2026-39987 is a pre-authenticated RCE affecting Marimo versions ≤ 0.20.4, patched in 0.23.0.
First reported: 10.04.2026 10:371 source, 1 articleShow sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37
-
The vulnerable endpoint /terminal/ws accepts WebSocket connections without authentication, unlike other endpoints that call validate_auth().
First reported: 10.04.2026 10:371 source, 1 articleShow sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37
-
Exploitation occurred within 9 hours and 41 minutes of public disclosure, with attackers connecting to a honeypot via the unauthenticated terminal endpoint.
First reported: 10.04.2026 10:371 source, 1 articleShow sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37
-
Threat actors manually explored compromised environments, retrieved .env files, searched for SSH keys, and returned to confirm findings across four sessions over 90 minutes.
First reported: 10.04.2026 10:371 source, 1 articleShow sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37
-
No automated payloads (e.g., cryptocurrency miners, backdoors) were deployed during observed activity; operations were human-driven.
First reported: 10.04.2026 10:371 source, 1 articleShow sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37