Marimo Critical Flaw Exploited in Under 10 Hours

In a stark demonstration of modern cyber threat velocity, a critical flaw in the Marimo data science notebook was weaponized by attackers less than 10 hours after its public disclosure on April 10, 2026, according to findings from Sysdig. The vulnerability, a pre-authenticated remote code execution bug tracked as CVE-2026-39987 with a CVSS score of 9.3, impacted all versions up to and including 0.20.4.

Maintainers stated in an advisory that the terminal WebSocket endpoint completely skipped authentication verification. Consequently, an unauthenticated attacker could connect and obtain a full interactive PTY shell to execute arbitrary system commands.

Sysdig’s honeypot recorded the first exploitation attempt just 9 hours and 41 minutes post-disclosure, even without public proof-of-concept code. The unknown threat actor manually explored the file system and systematically attempted to harvest data, notably targeting the .env file and SSH keys.

The attacker returned to the compromised system an hour later to access stolen data and check for other malicious activity. Meanwhile, no other payloads like cryptocurrency miners or backdoors were installed during these sessions.

This rapid exploitation highlights how threat actors closely monitor vulnerability disclosures. The incident proves that any internet-facing application with a critical advisory is a target, regardless of its popularity.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Bitcoin QuantumSafe Plan Costly, No Fork Needed
• TD Cowen Downgrades MSTR Target, Calls Sharplink a ‘Buy’
• McLaren Racing Joins Hedera Governing Council
• Comic raised $50K for Gaza via staged memecoin rug pulls.
• TON Blockchain Cuts Block Times, Boosts Speed 6-Fold