Marimo unauth RCE exploited in wild (CVE-2026-39987) [PoC]

Actively exploited in the wild - CVE-2026-39987 is a critical remote code execution in Coreweave Marimo before 0.23.0 that grants unauthenticated attackers a fully interactive system shell via the insecure /terminal/ws endpoint.

Overview

An unauthenticated remote code execution (RCE) vulnerability in Marimo reactive Python notebooks allows attackers to gain full system shell access without any credentials. The flaw, tracked as CVE-2026-39987, carries a CVSS score of 9.8 (Critical) and is confirmed actively exploited in the wild by CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Affected Product and Version

All Marimo versions prior to 0.23.0 are vulnerable. This includes any deployment using the built-in WebSocket server for terminal functionality.

Vulnerability Details

The /terminal/ws WebSocket endpoint fails to enforce authentication checks. While other WebSocket endpoints (such as /ws) correctly call validate_auth() to verify user identity, the terminal endpoint only checks the application’s running mode and platform support before accepting any connection. An unauthenticated attacker can connect to this endpoint and obtain a fully interactive PTY (pseudo-terminal) shell, enabling arbitrary command execution on the host system.

The exploitation requires no user interaction, no privileges, and can be conducted over the network. The attack complexity is low, meaning standard tooling can automate exploitation.

Impact

Successful exploitation gives an attacker complete control over the affected server. They can:

• Execute arbitrary system commands as the Marimo process user
• Access or exfiltrate any data accessible to that user
• Install malware, including ransomware or cryptocurrency miners
• Pivot to internal network resources

Given the confirmed active exploitation, any internet-facing Marimo instance prior to 0.23.0 should be considered compromised until proven otherwise.

Remediation

Immediate Action

1. Update Immediately: Upgrade to Marimo version 0.23.0 or later. This is the only complete fix.
2. Isolate Affected Systems: If updating is not immediately possible, restrict network access to the /terminal/ws endpoint using a reverse proxy or firewall rules.
3. Conduct Incident Response: Scan for signs of compromise on any systems that were running vulnerable versions, particularly those exposed to the internet.

Verification

After updating, verify that the /terminal/ws endpoint now requires authentication by attempting to connect without valid credentials. The connection should be rejected.

Security Insight

This vulnerability highlights a critical design flaw: authentication checks must be consistently applied across all sensitive endpoints, not selectively implemented. The CVE-2026-39987 pattern–where one WebSocket path omits the auth check that other paths include–is a recurring finding in web applications. Developers should implement centralized authentication middleware rather than relying on individual endpoint handlers to verify credentials. For organizations running Python notebook environments, this incident reinforces that interactive terminal features should never be accessible without authentication, even in internal deployments.

For the latest cybersecurity news and data breach reports, visit security news and breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs