CVE-2026-39987 is a critical vulnerability found in CoreWeave's Marimo, a reactive Python notebook. Prior to version 0.23.0, Marimo is susceptible to a pre-authentication remote code execution (RCE) vulnerability. The issue resides in the terminal WebSocket endpoint /terminal/ws, which lacks proper authentication validation. This oversight allows an unauthenticated attacker to gain full PTY shell access and execute arbitrary system commands.
The vulnerability is particularly concerning as it bypasses authentication checks. Unlike other WebSocket endpoints, such as /ws, which correctly implement validation, the /terminal/ws endpoint only verifies the running mode and platform support. This vulnerability has been assigned a CVSS score of 9.3, indicating its critical severity.
Risk to organizations includes potential unauthorized access to sensitive data and system control. Attackers may leverage this vulnerability to execute malicious commands, compromising the integrity and availability of systems. Organizations should prioritize patching immediately.
The vulnerability was disclosed on April 9, 2026, and has been fixed in version 0.23.0 of Marimo. Given the critical nature of this vulnerability, organizations utilizing Marimo should assess their exposure and apply the necessary updates without delay.
Exploitation of this vulnerability has been confirmed, with reports indicating it was exploited within 10 hours of disclosure. This highlights the urgency for organizations to act promptly to mitigate associated risks.
In summary, CVE-2026-39987 represents a significant threat to organizations using Marimo. Immediate patching and remediation are essential to prevent potential exploitation.
Vulnerability Details
The official CVE description states that Marimo, prior to version 0.23.0, contains a pre-authentication remote code execution vulnerability. This vulnerability allows attackers to connect to the /terminal/ws WebSocket endpoint without authentication, leading to unauthorized command execution.
The vulnerability has been assigned a CVSS 4.0 score of 9.3, indicating critical severity due to its high potential impact on confidentiality, integrity, and availability. The affected product is Marimo by CoreWeave, which is crucial for users relying on this technology for interactive computing.
This vulnerability has been classified under CWE-306, which pertains to missing authentication for critical functions.
Technical Analysis
The root cause of CVE-2026-39987 is the lack of proper authentication checks on the /terminal/ws WebSocket endpoint. This design flaw permits unauthenticated access, which can be exploited by attackers to execute arbitrary commands. The attack vector is classified as network-based, with low complexity and no privileges required. Furthermore, user interaction is not necessary for exploitation.
The potential impacts of this vulnerability are severe, with high confidentiality, integrity, and availability impacts. Attackers gaining access can manipulate and control the system, leading to significant operational disruptions.
Risk & Impact Analysis
The risk to organizations includes unauthorized access to system resources and data, allowing attackers to execute commands that could compromise the entire system. The potential blast radius is significant, given the critical nature of the vulnerability and its exploitation potential.
The urgency level for addressing this vulnerability is critical, given its CVSS score of 9.3 and the fact that it has been added to the Known Exploited Vulnerabilities (KEV) catalog. Organizations must act swiftly to implement patches or mitigate exposure to prevent exploitation.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | Yes |
Ransomware Use | No |
Affected Versions
All versions of Marimo prior to 0.23.0 are affected by this vulnerability. Organizations should ensure they are running the patched version to mitigate risk.
Mitigation & Remediation
To mitigate this vulnerability, organizations must upgrade to Marimo version 0.23.0 or later. If immediate patching is not possible, consider applying workarounds such as network controls to restrict access to the vulnerable endpoint until the upgrade can be performed.
Regular security assessments, including penetration testing, can help identify similar vulnerabilities in the future.
Detection Guidance
Organizations should monitor logs for indicators of unauthorized access attempts, particularly on the /terminal/ws endpoint. Behavioral anomalies or unusual command executions should be flagged for investigation.
AppSecure Threat Intelligence Insight
The emergence of CVE-2026-39987 highlights the ongoing need for robust security practices in development environments. As vulnerabilities like this can be exploited within hours, security teams must prioritize timely patching and monitoring.
For further guidance, organizations can refer to our penetration testing methodology and our insights on vulnerability management programs to enhance their security posture.
The urgency of addressing this vulnerability cannot be overstated, especially as the threat landscape evolves.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)