A critical pre-authentication remote code execution flaw in Marimo, the open-source Python notebook platform owned by CoreWeave, was exploited in the wild less than 10 hours after disclosure, according to a technical analysis from Sysdig Threat Research Team. The issue, tracked as CVE-2026-39987, affects all versions before 0.23.0 and carries a severity score of 9.3 out of 10.
KEY FACTS
- Exposure The flaw allows unauthenticated remote code execution through Marimo’s terminal WebSocket endpoint.
- Timing First exploitation was seen 9 hours and 41 minutes after disclosure.
- Impact Attackers obtained shell access and stole credentials from a vulnerable instance in under three minutes.
- Fix Marimo version 0.23.0 closes the authentication gap.
Marimo’s server includes a browser-based terminal feature, but the terminal endpoint skipped the authentication check used by other parts of the service. That let any reachable user connect directly to a shell running with the privileges of the Marimo process.
Sysdig said it monitored vulnerable honeypot instances across multiple cloud providers to track abuse. The first attacker session briefly tested the flaw, then moved through the file system before finding an environment file with AWS access keys and other application credentials.
The attacker returned later to recheck the same files, behavior the report described as consistent with a human operator rather than an automated scanner. Sysdig said no ready-made exploit was available at the time and that the attacker built one from the advisory description.
Marimo’s GitHub security advisory said the terminal WebSocket endpoint /terminal/ws lacks authentication validation. The company said an unauthenticated attacker could obtain a full PTY shell and execute arbitrary system commands.
Organizations running earlier versions are being urged to update immediately. Those that cannot patch right away should block external access or place servers behind an authenticated proxy, and any publicly reachable instance should be treated as potentially compromised.
WHY IT MATTERS
The case shows how quickly exposed internet-facing software can be targeted once a critical flaw becomes public. It also highlights the risk of storing credentials on systems that can be reached without authentication.