{"id":7790,"date":"2026-04-13T12:34:45","date_gmt":"2026-04-13T12:34:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7790"},"modified":"2026-04-13T12:34:45","modified_gmt":"2026-04-13T12:34:45","slug":"critical-flaw-in-marimo-python-notebook-exploited-within-10-hours-of-disclosure","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7790","title":{"rendered":"Critical flaw in Marimo Python notebook exploited within 10 hours of disclosure"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A critical pre-authentication remote code execution vulnerability in Marimo, an open-source Python notebook platform owned by AI cloud company CoreWeave, was exploited in the wild less than 10 hours after its public disclosure, according to the Sysdig Threat Research Team.<\/p>\n

The vulnerability, tracked as CVE-2026-39987<\/a> with a severity score of 9.3 out of 10, affects all Marimo versions before 0.23.0.<\/p>\n

It requires no login, no stolen credentials, and no complex exploit. An attacker only needs to send a single connection request to a specific endpoint on an exposed Marimo server to gain complete control of the system, the Sysdig team wrote in a blog post<\/a>.<\/p>\n

The flaw allows an unauthenticated attacker to obtain a full interactive shell and execute arbitrary system commands on any exposed Marimo instance through a single connection, with no credentials required, the post said.<\/p>\n

\u201cMarimo has a Pre-Auth RCE vulnerability,\u201d the Marimo team wrote in its GitHub security advisory<\/a>. \u201cThe terminal WebSocket endpoint \/terminal\/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.\u201d<\/p>\n

Marimo is a Python-based reactive notebook with roughly 20,000 stars on GitHub and was acquired<\/a> by CoreWeave in October 2025.<\/p>\n

How the flaw works<\/h2>\n

Marimo\u2019s server includes a built-in terminal feature that lets users run commands directly from the browser. That terminal was accessible over the network without any authentication check, while other parts of the same server correctly required users to log in before connecting, the post said.<\/p>\n

\u201cThe terminal endpoint skips this check entirely, accepting connections from any unauthenticated user and granting a full interactive shell running with the privileges of the Marimo process,\u201d the post added.<\/p>\n

In practical terms, anyone who could reach the server over the internet could walk straight into a live command shell, often with administrator-level access, without ever entering a password, the team at Sysdig said.<\/p>\n

Credentials stolen in under three minutes<\/h2>\n

To track real-world exploitation, deployed honeypot servers running vulnerable Marimo instances across multiple cloud providers and observed the first exploitation attempt within 9 hours and 41 minutes of disclosure. No ready-made exploit tool existed at the time. The attacker had built one using only the advisory description, Sysdig researchers wrote.<\/p>\n

The attacker worked in stages across four sessions. A brief first session confirmed the vulnerability was exploitable. A second session involved manually browsing the server\u2019s file system. By the third session, the attacker had located and read an environment file containing AWS access keys and other application credentials. The entire operation took under three minutes, the post said.<\/p>\n

\u201cThis is a complete credential theft operation executed in under 3 minutes,\u201d the Sysdig team wrote.<\/p>\n

The attacker then returned over an hour later to re-check the same files. The behavior was consistent with a human operator working through a list of targets rather than an automated scanner, the post said.<\/p>\n

Part of a widening pattern<\/h2>\n

The pace of exploitation aligns with a trend seen across AI and open-source tooling<\/a>. A critical flaw in Langflow was weaponized within 20 hours of disclosure earlier this year, also tracked by Sysdig. The Marimo case cut that window roughly in half, with no public exploit code in circulation at the time.<\/p>\n

\u201cNiche or less popular software is not safer software,\u201d the Sysdig post said. Any internet-facing application with a published critical advisory is a target within hours of disclosure, regardless of its install base, it added.<\/p>\n

The Marimo case had no CVE number assigned at the time of the first attack, meaning organizations dependent on CVE-based scanning would not have flagged the advisory at all, Sysdig noted.<\/p>\n

The flaw also fits a pattern of critical RCE vulnerabilities<\/a> in AI-adjacent developer tools \u2014 including MLflow, n8n, and Langflow \u2014 in which code-execution features built for convenience become dangerous when exposed to the internet without consistent authentication controls.<\/p>\n

What organizations should do<\/h2>\n

Marimo released a patched version, 0.23.0, which closes the authentication gap in the terminal endpoint. Organizations running any earlier version should update immediately, Sysdig said.<\/p>\n

Teams that cannot update right away should block external access to Marimo servers using firewall rules or place them behind an authenticated proxy, the post said. Any instance that has been publicly reachable should be treated as potentially compromised.<\/p>\n

\u201cCredentials stored on those servers, including cloud access keys and API tokens, should be rotated as a precaution,\u201d Sysdig advised.<\/p>\n

CoreWeave did not immediately respond to a request for comment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A critical pre-authentication remote code execution vulnerability in Marimo, an open-source Python notebook platform owned by AI cloud company CoreWeave, was exploited in the wild less than 10 hours after its public disclosure, according to the Sysdig Threat Research Team. The vulnerability, tracked as CVE-2026-39987 with a severity score of 9.3 out of 10, affects […]<\/p>\n","protected":false},"author":0,"featured_media":7791,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7790","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7790"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7790"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7790\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7791"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}