◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-04-12

Marimo Pre-Auth RCE Exploited Within 10 Hours (CVE-2026-39987)

VulnerabilityHigh impactCVE-2026-39987
Technical description
Pre-authentication remote code execution in Marimo Python notebook (CVSS 9.3). The /terminal/ws WebSocket endpoint lacks authentication validation, granting unauthenticated attackers full PTY shell access. Exploited in the wild 9 hours 41 minutes after disclosure.
Attack vector
Unauthenticated WebSocket connection to /terminal/ws endpoint bypasses authentication that other endpoints correctly enforce. Attackers gain root shell access (default Docker images run as root) and immediately harvest LLM API keys and cloud credentials.
Affected systems
Marimo versions ≤0.20.4. Used by Stanford, Mozilla AI, OpenAI, BlackRock, and widely deployed on Docker/GPU cloud instances.
Mitigation
Update to Marimo 0.23.0 or newer immediately. Network-isolate all Marimo instances. Rotate any API keys and cloud credentials on exposed systems. Audit for unauthorised access.
Sources
The Hacker News - Marimo RCE CVE-2026-39987SecurityWeek - Critical Marimo Flaw ExploitedEndor Labs - Root in One Request Marimo RCE
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →