CVE-2026-39987: Marimo RCE exploited in hours after disclosure

Key Points:

• CVE-2026-39987 is a critical pre-authenticated remote code execution (RCE) vulnerability in the Marimo Python notebook tool, exploited within 10 hours of disclosure.
• The flaw allows unauthenticated attackers to execute arbitrary commands via the /terminal/ws WebSocket endpoint, affecting versions up to 0.20.4, with credential theft occurring in under 3 minutes.
• Immediate upgrade to version 0.23.0 is recommended, alongside monitoring for unusual access patterns and implementing strict network segmentation.

Technical Details: The vulnerability allows remote code execution without authentication due to insufficient validation on the WebSocket endpoint. Attackers were able to exploit this flaw rapidly, demonstrating a concerning trend in vulnerability exploitation.

MITRE ATT&CK Techniques:

• T1210 - Exploitation of Remote Services (Initial Access)
• T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)

IOCs Mentioned:

• One source IP targeting honeypots
• 125 unique IPs conducting reconnaissance activities