Marimo flaw exploited fast

Marimo is a Python notebook that runs code in little blocks, like a lab bench where changing one beaker can automatically update the others. That convenience depends on a local web server, and this bug sat in the part of that server that exposed a browser terminal. (github.com, wiz.io) The broken piece was a WebSocket, which is just a live two-way pipe between a browser and a server, more like a phone call than a webpage refresh. In vulnerable Marimo versions, the `/terminal/ws` pipe accepted connections without checking whether the caller had logged in. (wiz.io, advisories.gitlab.com) That turned a notebook server into something closer to an unlocked remote keyboard. Security researchers say an attacker could get a full pseudo-terminal shell, which means real system commands on the host machine, not just notebook edits inside the app. (advisories.gitlab.com, endorlabs.com) The affected range was broad: Marimo says versions up to 0.20.4 were vulnerable, and the project shipped version 0.23.0 with the security fix. The release note says the issue matters when Marimo is deployed as an editable notebook, not only when a developer runs it on a laptop for personal use. (github.com, advisories.gitlab.com) The speed is what made this story jump. Sysdig’s honeypots saw the first exploitation attempt 9 hours and 41 minutes after the advisory was published on April 8, 2026. (labs.cloudsecurityalliance.org, securityweek.com) The attacker did not wait for a public step-by-step exploit. Sysdig said the exploit was built directly from the disclosure, which is the modern pattern when advisories include enough detail for anyone with a browser and some scripting skill to reconstruct the path. (securityweek.com, thehackernews.com) What the intruder grabbed was ordinary and dangerous at the same time. Reports say the activity focused on reconnaissance, Secure Shell keys, and `.env` files, which often store cloud tokens, database passwords, and application secrets in plain text for convenience. (thehackernews.com, labs.cloudsecurityalliance.org) That is why notebook servers are touchier than they look. A data science tool often sits next to production data, cloud credentials, and internal code, so one exposed terminal can become a bridge into much larger systems. (endorlabs.com, pentest-tools.com) Marimo had already dealt with another authentication-related issue in October 2025, when GitHub published an advisory about unauthenticated access through its `/mpl/` route. Two advisories in about six months do not prove a pattern by themselves, but they do show how small “developer convenience” endpoints can become internet-facing attack paths. (github.com, github.com) As of April 11, 2026, the vulnerability does not appear in the Cybersecurity and Infrastructure Security Agency known exploited vulnerabilities catalog, even though multiple firms say exploitation has been seen in the wild. That gap matters because many patch programs key off official catalogs, while attackers key off disclosure timestamps. (cisa.gov, securityweek.com) The practical lesson is blunt: if a tool opens a terminal in the browser, treat it like remote admin software, not like a harmless notebook. For Marimo, that means upgrading to 0.23.0, checking exposed instances, and assuming any secrets on a vulnerable host may need rotation if the server was reachable from the internet. (github.com, wiz.io, thehackernews.com)