Vulnerability
Exploitation Wave
Marimo WebSocket RCE abused after CVE-2026-39987 disclosure
Updated 16.04.2026 19:58
Case score 66
Score breakdown
- Total
- 66
- Lead score
- 63
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 0
Top contributors
- Vulnerability Provides the pre-authenticated RCE, early abuse within hours of disclosure, and file-seeking behavior on exposed Marimo systems. base
- Exploitation Wave Adds broader reconnaissance, credential-theft behavior, and remediation context tied to the same Marimo CVE and endpoint. support
Case score 66
Members 2
Latest activity 16.04.2026 19:58
Active exploitation
Patch available
CVSS: 9.3 Critical
Active exploitation
Patch available
CVSS: 9.3 Critical
Members 2
First seen 10.04.2026 10:37
Last seen 12.04.2026 17:20
Updated 16.04.2026 19:58
Overview
**CVE-2026-39987** in **Marimo** is being exploited through the **/terminal/ws** endpoint to give unauthenticated attackers a shell on exposed notebook servers. The first observed abuse arrived about **9 hours and 41 minutes** after disclosure and moved into manual reconnaissance and secret-harvesting against internet-facing instances.
Marimo released **0.23.0** to fix the flaw, and CISA added **CVE-2026-39987** to the KEV catalog with a **2026-05-07** remediation deadline. Available evidence does not quantify how many deployments were reached, but the observed behavior shows rapid weaponization against exposed systems.
Attackers are exploiting **CVE-2026-39987** in **Marimo** to reach the **/terminal/ws** WebSocket endpoint and obtain unauthenticated remote code execution on exposed deployments. The flaw affects versions **0.20.4 and earlier** and was fixed in **0.23.0**. Sysdig observed the first exploitation attempt about **9 hours and 41 minutes** after disclosure and reported that the attacker turned advisory details into a working exploit. The activity included a full PTY shell, manual reconnaissance, repeated returns to the honeypot, and attempts to read **.env** data and search for SSH keys.
Broader activity around the disclosure added at least **125 IP addresses** performing reconnaissance within the first **12 hours** and then moving into credential theft behavior. The observed sequence focused on shell validation, discovery commands, and harvesting environment variables, cloud credentials, and application secrets, with no miners or backdoors installed in the observed activity. Marimo released **0.23.0**, and CISA listed **CVE-2026-39987** in the Known Exploited Vulnerabilities catalog with a remediation deadline of **2026-05-07**; available evidence does not quantify how many deployments were reached.