Search

Critical Marimo Pre-Auth RCE Flaw Now Under Active Exploitation

Cyber threats and incidents
By Evan Rowe

Related

Cyber threats and incidents

Nearly 800 Hungarian Government Passwords Found Exposed Online Ahead of Election

What happened Nearly 800 Hungarian government email and password combinations...
Read more
Cyber threats and incidents

OpenAI Tightens macOS App Verification After Axios Supply-Chain Security Incident

What happened OpenAI tightened verification controls for its macOS apps...
Read more
Cyber threats and incidents

Critical Marimo Pre-Auth RCE Flaw Now Under Active Exploitation

What happened A critical vulnerability in the open-source Python notebook...
Read more
Cyber threats and incidents

Cash App Notifies 8.2 Million U.S. Customers of Data Breach

What happened Cash App disclosed a data breach affecting about...
Read more
Cyber threats and incidents

Hacker Stole £700,000 From UK Energy Company by Redirecting Payment

What happened A hacker stole £700,000 from a UK energy...
Read more

Share

What happened

A critical vulnerability in the open-source Python notebook platform Marimo is now under active exploitation, with attackers moving quickly after public disclosure. The flaw, tracked as CVE-2026-39987, affects Marimo versions 0.20.4 and earlier and can allow remote code execution without authentication. The issue stems from the /terminal/ws WebSocket endpoint exposing an interactive terminal without proper authentication checks, giving an unauthenticated attacker shell access with the same privileges as the Marimo process. Marimo disclosed the flaw on April 8 and released version 0.23.0 to address it. Researchers observed exploitation less than 10 hours after disclosure, with attackers validating access, running reconnaissance commands, and stealing data such as environment variables, cloud credentials, application secrets, and attempts at SSH-related files. 

Who is affected

The direct exposure affects organizations and users running Marimo versions 0.20.4 and earlier, especially deployments exposed to shared networks while in edit mode or configured with –host 0.0.0.0. The observed attacks focused on exposed Marimo instances that allowed unauthenticated access to the vulnerable WebSocket endpoint. 

Why CISOs should care

This matters because the flaw gives attackers direct shell access without logging in, and exploitation began almost immediately after public disclosure. The observed activity also shows that attackers are prioritizing fast theft of high-value secrets such as .env contents, cloud credentials, and application secrets rather than noisy follow-on actions like persistence or cryptomining. 

3 practical actions

Upgrade immediately: Move affected Marimo deployments to version 0.23.0 without delay. 

Monitor the exposed endpoint: Review WebSocket activity to /terminal/ws and investigate any unexpected or unauthenticated connections. 

Rotate exposed secrets: Treat .env values, cloud credentials, application secrets, and any reachable SSH material as potentially exposed if vulnerable systems were internet-accessible. 

For more news about security flaws under active exploitation, click Vulnerability to read more.

Previous article
Cash App Notifies 8.2 Million U.S. Customers of Data Breach
Next article
OpenAI Tightens macOS App Verification After Axios Supply-Chain Security Incident
Cyber threats and incidents

Nearly 800 Hungarian Government Passwords Found Exposed Online Ahead of Election

What happened Nearly 800 Hungarian government email and password combinations...
Cyber threats and incidents

OpenAI Tightens macOS App Verification After Axios Supply-Chain Security Incident

What happened OpenAI tightened verification controls for its macOS apps...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.