Critical Marimo RCE Flaw Exposes Systems to Remote Attacks
Severity: High (Score: 72.8)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: critical, marimo, vulnerability, code, attackers, security, remote
Severity indicators: critical, vulnerability, remote code execution, ot
Summary
A critical vulnerability in the Marimo Python notebook framework, tracked as CVE-2026-39987, allows attackers to execute arbitrary commands remotely without authentication. The flaw, stemming from a missing authentication check in a WebSocket endpoint, enables pre-authentication remote code execution (RCE) and could lead to full system compromise. Security experts have confirmed that this vulnerability is actively being exploited in the wild. Organizations using the Marimo framework are at risk, particularly those with exposed WebSocket terminals. The vulnerability was published on April 9, 2026, and was added to the CISA KEV list for active exploitation on April 23, 2026. A proof of concept (PoC) was made public shortly after its disclosure on April 13, 2026. Immediate action is recommended for affected systems to mitigate potential attacks. Key Points: • CVE-2026-39987 allows remote code execution without authentication. • The vulnerability is actively exploited, posing a significant risk to exposed systems. • Organizations using the Marimo framework should apply security updates immediately.
Detailed Analysis
**Impact** Organizations using the Marimo Python notebook framework are affected, with potential full infrastructure compromise due to remote code execution. The vulnerability allows attackers to gain system-level shell access without authentication, risking sensitive data and operational control. Specific sectors or geographic regions impacted are not detailed in the sources. **Technical Details** The attack exploits CVE-2026-39987, a missing authentication check in a WebSocket terminal endpoint of Marimo, enabling pre-authentication remote code execution. Attackers can spawn system-level shells remotely, bypassing login requirements. No specific malware, tools, or IOCs are mentioned in the articles. **Recommended Response** Apply available patches addressing CVE-2026-39987 immediately to close the WebSocket endpoint vulnerability. Harden configurations to restrict WebSocket access and monitor for unauthorized shell activity or unusual network connections. In the absence of detailed IOCs, prioritize detection of anomalous WebSocket usage and system shell spawns.
Source articles (2)
- Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks — Cybersecuritynews · 2026-05-19
A critical security vulnerability in the Marimo Python notebook framework is being actively exploited to achieve pre-authentication remote code execution (RCE), allowing attackers to gain full control… - Critical Marimo RCE Flaw Could Let Attackers Execute Malicious Code Remotely — Gbhackers · 2026-05-18
A newly disclosed critical vulnerability in the Marimo Python notebook framework is raising serious alarms across the cybersecurity community, as it allows attackers to execute arbitrary commands remo…
Timeline
- 2026-04-09 — CVE-2026-39987 published: A critical RCE vulnerability in Marimo was disclosed, allowing remote command execution.
- 2026-04-13 — First public PoC released: A proof of concept demonstrating the RCE flaw was made publicly available.
- 2026-04-23 — Added to CISA KEV list: CISA added CVE-2026-39987 to its Known Exploited Vulnerabilities list due to active exploitation.
- Recent — Active exploitation reported: Security researchers confirmed that the Marimo vulnerability is being actively exploited in the wild.
CVEs
Related entities
- Remote Code Execution (Attack Type)
- Zero-day Exploit (Attack Type)
- CWE-287 - Improper Authentication (Cwe)
- CWE-78 - OS Command Injection (Cwe)
- T1059 - Command and Scripting Interpreter (Mitre Attack)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- Marimo (Platform)
- Marimo Python Notebook Framework (Platform)