Executive Summary
In April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-39987 to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting active exploitation of a critical remote code execution vulnerability in Marimo, a reactive Python notebook application. This flaw, present in versions prior to 0.23.0, allows unauthenticated attackers to gain full pseudo-terminal shell access via the /terminal/ws WebSocket endpoint, enabling arbitrary command execution on the host system. The vulnerability arises from the endpoint's failure to enforce authentication, unlike other WebSocket endpoints in the application. Marimo has addressed this issue in version 0.23.0 by implementing proper authentication checks. Organizations using affected versions are urged to update immediately to mitigate potential risks. (securityvulnerability.io)
The inclusion of CVE-2026-39987 in CISA's KEV Catalog underscores the ongoing threat posed by unpatched vulnerabilities in widely used development tools. This incident highlights the critical need for organizations to maintain up-to-date software and implement robust security measures to protect against unauthorized access and potential data breaches.
Why This Matters Now
The active exploitation of CVE-2026-39987 in Marimo underscores the urgent need for organizations to promptly update their systems to prevent unauthorized access and potential data breaches. This incident highlights the critical importance of maintaining up-to-date software and implementing robust security measures to protect against emerging threats.
Attack Path Analysis
An unauthenticated attacker exploited the Marimo RCE vulnerability (CVE-2026-39987) to gain initial access via the terminal WebSocket endpoint. They escalated privileges by executing arbitrary system commands, enabling full control over the host system. The attacker moved laterally to other systems within the network. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker deployed ransomware, encrypting critical files and disrupting operations.
Kill Chain Progression
Initial Compromise
Description
Exploited the unauthenticated terminal WebSocket endpoint in Marimo to gain initial access.
Related CVEs
CVE-2026-39987
CVSS 9.8A pre-authentication remote code execution vulnerability in Marimo allows unauthenticated attackers to execute arbitrary system commands via the terminal WebSocket endpoint.
Affected Products:
Marimo Team Marimo – < 0.23.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: Unix Shell
Valid Accounts
File and Directory Discovery
Network Service Scanning
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Marimo remote code execution vulnerability directly impacts software development environments, requiring immediate patching of interactive computing platforms and enhanced segmentation controls.
Government Administration
Federal agencies face BOD 22-01 compliance requirements for CVE-2026-39987 remediation while implementing zero trust network controls and encrypted traffic monitoring.
Financial Services
Banking institutions must address remote code execution risks in data science workflows while maintaining PCI compliance through enhanced egress filtering and anomaly detection.
Health Care / Life Sciences
Healthcare organizations using Marimo for research analytics face HIPAA compliance risks requiring immediate vulnerability remediation and strengthened workload-to-workload security controls.
Sources
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- Marimo Security Advisory GHSA-2679-6mx9-h9xchttps://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xcVerified
- NVD - CVE-2026-39987https://nvd.nist.gov/vuln/detail/CVE-2026-39987Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by limiting exposure of vulnerable endpoints through strict segmentation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-based access controls.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained by monitoring and controlling east-west traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been limited by comprehensive visibility and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely have been constrained by strict egress policies and monitoring.
The attacker's ability to deploy ransomware and disrupt operations may have been limited by reducing the blast radius through strict segmentation.
Impact at a Glance
Affected Business Functions
- Data Analysis
- Research and Development
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive research data and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts.
- • Utilize Threat Detection & Anomaly Response to identify and respond to suspicious activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure all systems are updated to the latest versions to mitigate known vulnerabilities.
