Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Home/CyberSecurity News/Critical Marimo RCE Exploited Within 10 Hours of Disclosure
CyberSecurity News

Critical Marimo RCE Exploited Within 10 Hours of Disclosure

Key Takeaways A critical pre-authentication Remote Code Execution (RCE) vulnerability in Marimo, an open-source Python notebook platform, was exploited within 10 hours of public disclosure. The flaw,...

Marcus Rodriguez
Marcus Rodriguez
April 13, 2026 3 Min Read
28 0

Key Takeaways

  • A critical pre-authentication Remote Code Execution (RCE) vulnerability in Marimo, an open-source Python notebook platform, was exploited within 10 hours of public disclosure.
  • The flaw, CVE-2026-39987 (CVSS v4.0 score: 9.3), allowed unauthenticated attackers to gain an interactive shell and steal cloud credentials.
  • Affected Marimo versions include 0.20.4 and earlier; immediate patching to version 0.23.0 or later is crucial.
  • The rapid exploitation highlights sophisticated threat actors’ ability to weaponize new vulnerabilities quickly, even for niche software.

Rapid Exploitation of Critical Marimo RCE Underscores Threat Actor Agility

A severe vulnerability impacting Marimo, a popular open-source reactive Python notebook platform, was recently disclosed and subsequently exploited by threat actors in under ten hours. This rapid weaponization led to the theft of sensitive cloud credentials, showcasing the aggressive pace at which modern cyber adversaries operate following public vulnerability disclosures.

Table Of Content

  • Key Takeaways
  • Rapid Exploitation of Critical Marimo RCE Underscores Threat Actor Agility
  • Technical Details of the Vulnerability
  • From Disclosure to Compromise: A Timeline
  • Indicator of Compromise
  • What You Should Do

The security flaw, officially designated as CVE-2026-39987 (formerly GHSA-2679-6mx9-h9xc), carries a critical CVSS v4.0 score of 9.3. It is categorized as a pre-authentication Remote Code Execution (RCE) vulnerability, specifically targeting the /terminal/ws WebSocket endpoint within the Marimo application.

Technical Details of the Vulnerability

The core issue stems from an authentication bypass: unlike other WebSocket endpoints in Marimo that correctly invoke the validate_auth() function, the /terminal/ws path entirely omits this crucial security check. This oversight permits any unauthenticated attacker to establish a single WebSocket connection and immediately gain a fully interactive pseudo-terminal (PTY) shell.

Because this shell operates with the same privileges as the Marimo process itself, attackers can execute arbitrary system commands and conduct reconnaissance on the underlying host without needing to craft complex exploit payloads. This direct access significantly lowers the bar for exploitation.

From Disclosure to Compromise: A Timeline

Remarkably, at the time of the attack, no public proof-of-concept (PoC) code was available. The threat actor demonstrated advanced capabilities by manually constructing a functional exploit directly from the technical details provided in the vulnerability advisory. During the intrusion, the attacker initially ran a structured validation script before proceeding with manual reconnaissance activities.

According to analysis by the Sysdig Threat Research Team, the initial exploitation attempt occurred just 9 hours and 41 minutes after the advisory was made public. Within a mere three minutes of achieving access, the attacker successfully located and exfiltrated the .env file, which contained critical AWS access keys and other application secrets.

This incident serves as a stark reminder that threat actors actively monitor new vulnerability disclosures, even for niche software like Marimo, which has approximately 20,000 GitHub stars. All Marimo versions up to and including 0.20.4 are affected by this critical flaw.

Indicator of Compromise

The source IP identified in exploiting the WebSocket terminal and stealing credentials is 49.207.56[.]74.

What You Should Do

  • Immediate Patching: Update Marimo installations to patched version 0.23.0 or later without delay.
  • Network Access Restriction: If immediate patching is not feasible, restrict external network access to the /terminal/ws endpoint as an interim mitigation.
  • Audit Exposed Instances: Conduct a thorough audit of environment variables and .env files on any Marimo instances that may have been previously exposed.
  • Credential Rotation: Promptly rotate all potentially compromised AWS credentials, API keys, database passwords, and SSH keys.
  • Implement Authentication Layer: Implement an authentication layer or a reverse proxy in front of notebook platforms before exposing them to the internet.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

MSBuild LOLBin Abused in Fileless Windows Attacks

Next Post

Critical Axios Vulnerability Lets Attackers Remotely Execute Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us