Vulnerability
Exploitation Wave
Marimo WebSocket RCE abused after CVE-2026-39987 disclosure
Updated 29.05.2026 17:39
Case score 66
Score breakdown
- Total
- 66
- Lead score
- 63
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 0
Top contributors
- Vulnerability Provides the pre-authenticated RCE, early abuse within hours of disclosure, and file-seeking behavior on exposed Marimo systems. base
- Exploitation Wave Adds broader reconnaissance, credential-theft behavior, and remediation context tied to the same Marimo CVE and endpoint. support
Case score 66
Members 2
Latest activity 29.05.2026 17:39
Active exploitation
Patch available
CVSS: 9.3 Critical
Members 2
First seen 10.04.2026 10:37
Last seen 12.04.2026 17:20
Updated 29.05.2026 17:39
Overview
**CVE-2026-39987** in **Marimo** is being exploited through the **/terminal/ws** endpoint to give unauthenticated attackers a shell on exposed notebook servers. The first observed abuse arrived about **9 hours and 41 minutes** after disclosure and moved into manual reconnaissance and secret-harvesting against internet-facing instances.
Marimo released **0.23.0** to fix the flaw, and CISA added **CVE-2026-39987** to the KEV catalog with a **2026-05-07** remediation deadline. Available evidence does not quantify how many deployments were reached, but the observed behavior shows rapid weaponization against exposed systems.
Attackers are exploiting **CVE-2026-39987** in **Marimo** to reach the **/terminal/ws** WebSocket endpoint and obtain unauthenticated remote code execution on exposed deployments. The flaw affects versions **0.20.4 and earlier** and was fixed in **0.23.0**. Sysdig observed the first exploitation attempt about **9 hours and 41 minutes** after disclosure and reported that the attacker turned advisory details into a working exploit. The activity included a full PTY shell, manual reconnaissance, repeated returns to the honeypot, and attempts to read **.env** data and search for SSH keys.
Broader activity around the disclosure added at least **125 IP addresses** performing reconnaissance within the first **12 hours** and then moving into credential theft behavior. The observed sequence focused on shell validation, discovery commands, and harvesting environment variables, cloud credentials, and application secrets, with no miners or backdoors installed in the observed activity. Marimo released **0.23.0**, and CISA listed **CVE-2026-39987** in the Known Exploited Vulnerabilities catalog with a remediation deadline of **2026-05-07**; available evidence does not quantify how many deployments were reached.
Signals
4 derivedImpact signals
Affected
schema and full contents of an internal PostgreSQL database
Exploitation
Exploitation
Active exploitation
CVSS
9.3 Critical
CVEs/products
CVE
Remediation
Remediation
Patch available
Malware context
1 familiesMember happenings
2 related
Vulnerability
Marimo pre-authenticated RCE exploited (CVE-2026-39987)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
Data Type
Authentication Tokens
Data Type
Source Code
+2
Vulnerability
Marimo pre-authenticated RCE exploited (CVE-2026-39987)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
Data Type
Authentication Tokens
Data Type
Source Code
+2
Exploitation Wave
Marimo CVE-2026-39987 exploitation wave
Exploitation
Active Exploitation
CVSS
9.3 Critical
Patch
Patch Available
Exploitation Wave
Marimo CVE-2026-39987 exploitation wave
Exploitation
Active Exploitation
CVSS
9.3 Critical
Patch
Patch Available