Marimo, a reactive Python notebook, exposes an unauthenticated terminal WebSocket endpoint that hands attackers a full PTY shell; CISA added it to KEV on 2026-04-23 with a critical CVSS of 9.8.
What Is It
CVE-2026-39987 is a pre-authentication remote code execution flaw in Marimo prior to version 0.23.0. The terminal WebSocket endpoint /terminal/ws skips authentication entirely: unlike sibling endpoints such as /ws that correctly call validate_auth(), the terminal endpoint only checks the running mode and platform support before accepting a connection. Any unauthenticated network attacker who can reach the endpoint receives a full PTY shell and can execute arbitrary system commands as the user running Marimo. The weakness is classified as CWE-306 (Missing Authentication for Critical Function).
Why It Matters
NVD scores the bug 9.8 CRITICAL (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); the secondary CVSS 4.0 score is 9.3. Attack vector is network, complexity is low, and no privileges or user interaction are required; a single WebSocket request is enough to land code execution.
CISA added CVE-2026-39987 to the Known Exploited Vulnerabilities catalog on 2026-04-23, confirming active exploitation in the wild. A Sysdig writeup tracks the path from disclosure to exploitation in under 10 hours. Ransomware association is currently listed as Unknown.
What's Vulnerable
All Marimo releases prior to 0.23.0 are affected. The vulnerable CPE listed by NVD is cpe:2.3:a:coreweave:marimo:*:*:*:*:*:python:*:* with versionEndExcluding 0.23.0. Any exposed Marimo instance, local, internal, or internet-facing, that can be reached on its WebSocket port is at risk, since no credentials are needed to reach /terminal/ws.
Patch Status
Fixed in Marimo 0.23.0 via PR #9098 and commit c24d480. CISA's required action (due 2026-05-07) is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Upgrade to 0.23.0 or later immediately; restrict network exposure of any Marimo instance that cannot be patched yet.