Urgent Security Alert: Marimo Python Tool Exploited Within Hours of Flaw Disclosure
A critical security vulnerability in Marimo, an open-source Python notebook tool widely used for data science and analysis, was ruthlessly exploited by cyber attackers a mere 10 hours following its public disclosure. This alarming information comes courtesy of cybersecurity firm Sysdig.
The vulnerability, identified as CVE-2026-39987 and carrying a high-risk CVSS score of 9.3, is a pre-authenticated remote code execution flaw. This flaw impacts all versions of Marimo up to and including 0.20.4. The security issue originates from the terminal WebSocket endpoint at /terminal/ws, which shockingly lacks any form of authentication validation. This loophole allows unauthenticated attackers to gain interactive shell access and execute arbitrary system commands.
“The terminal WebSocket endpoint
/terminal/wslacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands,” Marimo maintainers warned in an advisory. Unlike other WebSocket endpoints that correctly implement authentication checks, the terminal endpoint only verifies the running mode and platform support before accepting connections.
The issue has been promptly addressed in version 0.23.0, and users are strongly urged to update immediately. The swift exploitation timeline underscores the increasingly narrow vulnerability window that security teams are up against, especially for developer tools that often sit adjacent to sensitive infrastructure, model-building, and analytics systems.
Source: The Hacker News