Cyber Security News

Critical Marimo Flaw Exploited Hours After Public Disclosure

CybersecurityNews
Critical Marimo Flaw Exploited Hours After Public Disclosure
A threat actor built a working exploit for a critical unauthenticated RCE in Marimo (CVE-2026-39987) and began weaponizing it roughly nine hours after the bug’s public disclosure. The attacker used the unauthenticated terminal WebSocket endpoint to gain an interactive shell, quickly exfiltrated credential files and searched for SSH keys; users should upgrade to Marimo 0.23.0 or newer. #Marimo #CVE-2026-39987

Keypoints

  • Critical unauthenticated RCE (CVE-2026-39987) affects Marimo’s terminal WebSocket endpoint.
  • The /terminal/ws endpoint fails to call validate_auth(), allowing unauthenticated shell access.
  • An exploit was created and used about 9 hours and 41 minutes after the advisory was published.
  • Sysdig observed the attacker exfiltrate credential files and search for SSH keys during a brief compromise.
  • All releases up to 0.20.4 are affected; upgrade to Marimo 0.23.0 or later to apply the patch.

Read More: https://www.securityweek.com/critical-marimo-flaw-exploited-hours-after-public-disclosure/