A critical pre-authentication remote code execution vulnerability (CVE-2026-39987, CVSS 9.3) in Marimo, the open-source Python notebook platform, is being actively exploited in the wild. The flaw exposes a WebSocket terminal endpoint ('/terminal/ws') without authentication, granting any unauthenticated client full shell access. Exploitation began less than 10 hours after public disclosure, with attackers harvesting .env credentials, cloud secrets, and SSH keys in under three minutes. Sysdig researchers observed 125 IPs conducting reconnaissance within 12 hours. Users should immediately upgrade to version 0.23.0, restrict access to the vulnerable endpoint via firewall, and rotate any exposed secrets.
Sort: