Critical Marimo Flaw Exploited Hours After Public Disclosure
Significant risk — action recommended within 24-48 hours
Basically, hackers found a serious flaw in Marimo and used it to break in quickly.
A critical flaw in Marimo was exploited just hours after its disclosure. Attackers gained unauthorized access and stole credentials. Users must update to the latest version immediately.
What Happened
A critical vulnerability, identified as CVE-2026-39987, was disclosed in Marimo, an open-source reactive notebook for Python. This flaw, which has a CVSS score of 9.3, allows unauthenticated remote code execution (RCE). Within just nine hours of the advisory release, threat actors successfully exploited this vulnerability.
The Flaw
The vulnerability lies in the /terminal/ws WebSocket endpoint, which fails to validate authentication. Unlike other endpoints that enforce authentication checks, this endpoint skips this crucial step. As a result, attackers can gain an interactive shell and execute arbitrary commands without needing any credentials.
Who's Affected
All Marimo releases up to version 0.20.4 are vulnerable. Users are strongly advised to upgrade to version 0.23.0 or later, which includes necessary patches to fix this flaw.
Exploitation Details
According to reports from Sysdig, the first exploitation was recorded just 9 hours and 41 minutes after the vulnerability was made public. The attacker constructed a working exploit based on the advisory description, connecting to the unauthenticated terminal endpoint. This allowed them to perform reconnaissance and exfiltrate sensitive files containing credentials.
Attack Timeline
- 9:41 after the advisory: Exploit observed in the wild.
- 2 minutes after connection: Manual reconnaissance conducted by the attacker.
- 6 minutes later: Attempt to exfiltrate files containing credentials.
This rapid exploitation highlights the need for immediate action following vulnerability disclosures.
What You Should Do
- Update: If you are using Marimo, immediately update to version 0.23.0 or newer.
- Monitor: Keep an eye on your systems for any unauthorized access attempts.
- Educate: Ensure your team understands the importance of promptly applying security updates.
This incident serves as a stark reminder of the vulnerabilities present in widely used software and the speed at which attackers can act. By staying informed and vigilant, organizations can better protect themselves against such threats.
🔍 How to Check If You're Affected
- 1.Check for any unauthorized access attempts in your logs.
- 2.Verify that your Marimo version is updated to 0.23.0 or newer.
- 3.Monitor for unusual activity on the terminal WebSocket endpoint.
🔒 Pro insight: The swift exploitation of CVE-2026-39987 underscores the critical need for timely patching and vulnerability management in open-source software.