🔴 CVE-2026-39987

Marimo Python notebook server has a critical pre-authentication RCE vulnerability allowing unauthenticated attackers to execute arbitrary system commands via an unprotected terminal WebSocket endpoint. This vulnerability is actively exploited in the wild and was added to CISA KEV catalog after being exploited within 10 hours of disclosure.

← Back to Overview
HIGH_RISK
Risk Level
9.3
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-04-09

Added to CISA KEV: 2026-04-23 14 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-04-24)

CVE-2026-39987 is a critical vulnerability affecting the open-source Python notebook tool Marimo [1]. This vulnerability has been actively exploited in the wild [4] and was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog [3].

Here's a breakdown of what is known about its exploitation:

  • Internet-facing applications or services: The vulnerability exists in Marimo, which is described as a "reactive Python notebook" [1]. While not explicitly stated as internet-facing, the nature of notebook tools can often involve web interfaces or services that might be exposed.
  • Evidence of active exploitation: CISA has confirmed that there is evidence of active exploitation [4], and it was exploited within 10 hours of its disclosure [5].
  • Attack vectors and exploitation methods: The vulnerability is a Pre-Authentication Remote Code Execution (RCE) flaw [1]. Successful exploitation can lead to remote code execution [2].
  • Targeted attacks: The provided information does not specify if this vulnerability has been used in targeted attacks.
  • CISA Known Exploited Vulnerabilities status: CVE-2026-39987 is included in the CISA KEV Catalog [3], indicating it has been exploited in the wild.
  • Technical details about internet exploitability: The vulnerability lies within the terminal WebSocket endpoint of Marimo [1]. Exploitation may result in the exfiltration of usernames and hashed passwords for local device administrators, portal administrators, and user accounts used for remote access [2].

Sources

  1. CVE-2026-39987 - CVE Record

    Description. marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint ...

  2. Print View

    Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin (s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).

  3. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  4. CISA Adds One Known Exploited Vulnerability to Catalog | CISA

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  5. CVE-2026-39987: Marimo RCE exploited in hours after disclosure

    A critical flaw, tracked as CVE-2026-39987, in the open-source Python notebook tool Marimo was exploited within 10 hours of disclosure.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed