Marimo Python notebook server has a critical pre-authentication RCE vulnerability allowing unauthenticated attackers to execute arbitrary system commands via an unprotected terminal WebSocket endpoint. This vulnerability is actively exploited in the wild and was added to CISA KEV catalog after being exploited within 10 hours of disclosure.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-04-09
Added to CISA KEV: 2026-04-23 14 DAYS BETWEEN CVE AND KEV
Description. marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint ...
Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin (s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.How to use the KEV ...
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
A critical flaw, tracked as CVE-2026-39987, in the open-source Python notebook tool Marimo was exploited within 10 hours of disclosure.