A critical security flaw in Marimo, an open-source Python notebook platform used for data science and analytical workloads, was exploited less than 10 hours after being publicly disclosed, according to researchers at Sysdig.
The vulnerability, tracked as CVE‑2026‑39987 and assigned a CVSS score of 9.3, is a pre‑authentication remote code execution (RCE) issue that affects all Marimo releases up to and including version 0.20.4. The flaw was remediated in Marimo 0.23.0.
According to the Marimo maintainers, the vulnerability stems from missing authentication checks on the /terminal/ws WebSocket endpoint. “The terminal WebSocket endpoint /terminal/ws does not enforce authentication validation, enabling an unauthenticated attacker to obtain a fully interactive PTY shell and execute arbitrary commands on the system,” the advisory explained.
Unlike other WebSocket endpoints such as /ws, which correctly invoke the validate_auth() function the /terminal/ws endpoint only verifies the application’s runtime mode and platform compatibility before accepting a connection, entirely bypassing authentication checks. As a result, attackers can gain unrestricted shell access to any publicly exposed Marimo instance with a single unauthenticated WebSocket request.
Sysdig reported detecting the first real-world exploitation attempt 9 hours and 41 minutes after the vulnerability disclosure. Remarkably, the attacker launched a credential theft attempt within minutes, despite the absence of publicly available proof‑of‑concept (PoC) exploit code at the time.
The unidentified threat actor reportedly connected to the vulnerable /terminal/ws endpoint on a Sysdig honeypot and conducted hands‑on reconnaissance of the system. Shortly after connecting, the attacker examined the file system and attempted to extract sensitive information, including contents from .env files, SSH keys, and other potentially valuable files.
Approximately one hour later, the attacker returned to reaccess the honeypot, rechecking the .env file and attempting to determine whether other threat actors had accessed the environment during the same timeframe. No additional payloads such as cryptocurrency miners, backdoors, or persistence mechanisms were observed during the attack.
“The attacker constructed a functional exploit directly from the vulnerability advisory, connected to the unauthenticated terminal interface, and manually navigated the compromised environment,” Sysdig said. “Across four separate sessions spanning about 90 minutes, the attacker paused and resumed activity behavior consistent with a human operator systematically moving through a list of targets and returning to validate findings.”
The rapid weaponization of CVE‑2026‑39987 underscores how closely threat actors monitor vulnerability disclosures and how quickly they move to exploit newly revealed weaknesses often before patches are widely applied. This ongoing trend continues to narrow the response window for defenders following public disclosure.
As Sysdig noted, “The assumption that attackers focus solely on widely adopted platforms is fundamentally flawed. Any internet‑exposed application with a critical vulnerability is a viable target, regardless of its popularity.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
