Marimo Python Notebook RCE Exploited Hours After Disclosure

Marimo patched a critical RCE vulnerability (CVE-2026-39987) that was exploited within 10 hours of disclosure to steal cloud credentials and SSH keys. The flaw allows unauthenticated attackers to gain full interactive shell access via a WebSocket authentication bypass.