A critical pre-authenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-39987 with a CVSS score of 9.3, has been identified in the Marimo open-source Python notebook. The flaw stems from a lack of authentication validation on the /terminal/ws WebSocket endpoint, which permits unauthenticated attackers to obtain a full PTY shell and execute arbitrary system commands on any exposed instance.
Security researchers at Sysdig reported that the vulnerability was exploited in the wild within 10 hours of its public disclosure, even in the absence of public proof-of-concept code. Observed activity involved manual reconnaissance aimed at harvesting sensitive data from environment variables and SSH keys, underscoring the rapid speed at which threat actors are now weaponizing newly disclosed security flaws.
Top comments (0)