Marimo Pre-Auth RCE Added to KEV After Exploitation in Under 10 Hours

CISA added CVE-2026-39987 to the Known Exploited Vulnerabilities catalog on April 23. The vulnerability is a pre-authentication remote code execution flaw in marimo, an open-source reactive Python notebook platform. CVSS v4.0: 9.3. The remediation deadline is May 7.

What makes this urgent is the speed of exploitation. Sysdig's Threat Research Team observed the first attack just 9 hours and 41 minutes after the advisory was published on April 8. No public proof-of-concept code existed at the time. An attacker built a working exploit directly from the GitHub advisory description, connected to the unauthenticated /terminal/ws WebSocket endpoint, and obtained a full interactive shell. Within minutes they had exfiltrated credentials including AWS keys from the .env file.

The Vulnerability

The /terminal/ws endpoint in marimo versions 0.20.4 and earlier provides an interactive PTY shell but skips authentication validation entirely. Other WebSocket endpoints in the application correctly call validate_auth(). The terminal endpoint does not. Connecting a single WebSocket gives a persistent interactive shell with the privileges of the marimo process, no credentials, no tokens, no payload crafting required.

The fix shipped in version 0.23.0 via PR #9098.

The attack pattern Sysdig captured was deliberate: a scripted validation probe emitting marker strings (---POC-START---, ---POC-END---), followed by manual reconnaissance, followed by targeted credential exfiltration from .env and configuration files. This is not mass scanning. This is a competent operator who read the advisory, built a weapon, and moved with purpose.

Why This Matters Beyond Marimo

Marimo has roughly 20,000 GitHub stars. It is not a household name in enterprise infrastructure. The speed of exploitation suggests threat actors are monitoring advisory feeds broadly, not just for high-profile targets, and are capable of weaponising vulnerabilities in niche software within hours. Sysdig notes the same pattern with the recent Langflow flaw (CVE-2026-33017), where exploitation happened within 20 hours of disclosure. The marimo case halves that timeline.

The implication is that AI-assisted vulnerability analysis is now being applied to real-time advisory monitoring. The advisory itself contained enough detail to construct a working exploit without any PoC code. Attackers who can turn a description into a weapon in under ten hours change the calculus for every organisation running exposed notebook platforms or development tools.

Notebook platforms are particularly attractive targets because they tend to hold database connections, API keys, cloud credentials, and access to datasets. A single compromised instance can provide lateral access to connected infrastructure.

So What / Action

If you run marimo instances, upgrade to 0.23.0 or later immediately. Audit any exposed instances for signs of /terminal/ws access in logs. Check for unexpected outbound connections, .env file access, and credential rotation needs. If marimo was internet-facing, assume credential compromise and rotate every secret the instance could reach.

More broadly: any development tool with an exposed management interface is now a target. Notebook platforms, CI runners, and IDE servers are being watched. If it has a web endpoint and handles credentials, it will be probed within hours of a vulnerability disclosure. Inventory your exposed development tooling today.