A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig.
The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. The issue has been addressed in version 0.23.0.
“The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands,” Marimo maintainers said in an advisory earlier this week.
“Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.”
In other words, attackers can obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection without requiring any credentials.
Sysdig said it observed the first exploitation attempt targeting the vulnerability within 9 hours and 41 minutes of it being publicly disclosed, with a credential theft operation executed in minutes, despite there being no proof-of-concept (PoC) code available at the time.
The unknown threat actor behind the activity is said to have connected to the /terminal/ws WebSocket endpoint on a honeypot system and initiated manual reconnaissance to explore the file system and, minutes later, systematically attempted to harvest data from the .env file, as well as search for SSH keys and read various files.
The attacker returned to the honeypot an hour later to access the contents of the .env file and check if other threat actors were active during the time window. No other payloads, like cryptocurrency miners or backdoors, were installed.
“The attacker built a working exploit directly from the advisory description, connected to the unauthenticated terminal endpoint, and began manually exploring the compromised environment,” the cloud security company said. “The attacker connected four times over 90 minutes, with pauses between sessions. This is consistent with a human operator working through a list of targets, returning to confirm findings.”
The speed at which newly disclosed flaws are being weaponized indicates that threat actors are closely keeping an eye on vulnerability disclosures and quickly exploiting them during the time between disclosure and patch adoption.This, in turn, has shrunk the time defenders must respond once a vulnerability is publicly announced.
“The assumption that attackers only target widely deployed platforms is wrong. Any internet-facing application with a critical advisory is a target, regardless of its popularity.”
