Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure | Security
A critical pre authentication RCE in Marimo (CVSS 9.3) was exploited within 10 hours of its April 8 disclosure. Versions ≤0.20.4 are affected; patch to 0.23.0…
Published on MyPrivateClaw
Apr 13, 2026, 8:37 AM UTC
Coverage date
Apr 13, 2026
Last updated
Apr 15, 2026, 10:24 AM UTC
News summary
A critical vulnerability in the Marimo open source Python notebook platform is under active exploitation. CVE 2026 39987 — a pre authentication remote code execution flaw — was disclosed on April 8, 2026, and attackers began exploiting it less than 10 hours later. What Happened Marimo's /terminal/ws WebSocket endpoint exposes a full interactive terminal without performing any authentication checks. While other WebSocket endpoints in the application correctly call validate auth() before accepting connections, the terminal endpoint only verifies the running mode and platform support, then grants a full PTY shell to any connecting client. Cloud security firm Sysdig observed 125 IP addresses conducting reconnaissance within the first 12 hours after the advisory was published. The first confirmed exploitation involved an attacker connecting to /terminal/ws, executing pwd, whoami, and ls to m…