ThreatCluster

Critical Marimo RCE Flaw Exposes Systems to Remote Attacks

First seen 19 May 2026, 11:23 UTC GbhackersCybersecuritynews 92% similarity 73

Article Content

Browse articles
ThreatCluster

A critical vulnerability in the Marimo Python notebook framework, tracked as CVE-2026-39987, allows attackers to execute arbitrary commands remotely without authentication. The flaw, stemming from a missing authentication check in a WebSocket endpoint, enables pre-authentication remote code execution (RCE) and could lead to full system compromise. Security experts have confirmed that this vulnerability is actively being exploited in the wild. Organizations using the Marimo framework are at risk, particularly those with exposed WebSocket terminals. The vulnerability was published on April 9, 2026, and was added to the CISA KEV list for active exploitation on April 23, 2026. A proof of concept (PoC) was made public shortly after its disclosure on April 13, 2026. Immediate action is recommended for affected systems to mitigate potential attacks.

Key Points: • CVE-2026-39987 allows remote code execution without authentication. • The vulnerability is actively exploited, posing a significant risk to exposed systems. • Organizations using the Marimo framework should apply security updates immediately.

ThreatCluster AI

Timeline

2026-04-09
CVE-2026-39987 published
A critical RCE vulnerability in Marimo was disclosed, allowing remote command execution.
Gbhackers
2026-04-13
First public PoC released
A proof of concept demonstrating the RCE flaw was made publicly available.
Gbhackers
2026-04-23
Added to CISA KEV list
CISA added CVE-2026-39987 to its Known Exploited Vulnerabilities list due to active exploitation.
Gbhackers
Recent
Active exploitation reported
Security researchers confirmed that the Marimo vulnerability is being actively exploited in the wild.
Cybersecuritynews

Community

Browse all →