Join our Experts on June 24 as they explain how to Detect, Divert, and Deceive AI-Assisted Threats
Get a Demo

Vulnerabilities

CVE-2026-39987

CVE-2026-39987 allows unauthenticated attackers to execute arbitrary commands on vulnerable Marimo instances through an exposed WebSocket endpoint.

CVSS Gauge
CVSS Needle
CVSS Score: 9.8

Summary

CVE-2026-39987 is a critical Marimo vulnerability that allows unauthenticated attackers to gain shell access and execute arbitrary commands through the exposed /terminal/ws endpoint. The flaw affects versions before 0.23.0, has been actively exploited, and can lead to credential theft, unauthorized access, and system compromise. Upgrading to version 0.23.0 or later fixes the issue.

Urgent Actions Required

  • Upgrade Marimo to version 0.23.0 or later immediately.
  • Restrict or block access to the /terminal/ws endpoint until patching is completed.
  • Review systems for unauthorized WebSocket connections and suspicious terminal activity.
  • Rotate credentials, API keys, SSH keys, and other secrets that may have been accessible from vulnerable Marimo environments.
  • Limit network exposure of Marimo instances and allow access only from trusted networks.

Which Systems Are Vulnerable to CVE-2026-39987?

Technical Overview 

How Does the CVE-2026-39987 Exploit Work?

The attack typically follows these steps:

CVE-2026-39987

What Causes CVE-2026-39987?

Vulnerability Root Cause:   

The vulnerability is caused by a missing authentication check in Marimo’s /terminal/ws WebSocket endpoint. While other WebSocket endpoints enforce authentication before accepting connections, the terminal endpoint does not validate user credentials. Instead, it only verifies operational requirements such as running mode and platform support. As a result, unauthenticated users can establish a terminal session and execute commands on the affected system.

How Can You Mitigate CVE-2026-39987?

If immediate patching is delayed or not possible: 

  • Restrict access to Marimo instances using firewall rules and allow connections only from trusted networks or IP addresses.
  • Block or limit access to the /terminal/ws endpoint through network controls.
  • Place Marimo behind an authenticated reverse proxy to add an additional access control layer.
  • Disable terminal functionality if it is not required in the environment.
  • Monitor logs for unauthorized or unusual WebSocket connections to the /terminal/ws endpoint.

Which Assets and Systems Are at Risk?

  • Asset Types Affected:
    • Marimo notebook environments running versions prior to 0.23.0
    • AI and data science development platforms using Marimo
    • Docker-based Marimo deployments with terminal functionality enabled
  • Business-Critical Systems at Risk:
    • AI development environments containing LLM API keys and access tokens
    • Systems storing cloud service credentials in environment files or configuration directories
    • Shared notebook servers and cloud-hosted development instances used by engineering and research teams
  • Exposure Level:
    • Internet-accessible Marimo instances
    • Cloud-hosted Marimo deployments exposed to external networks
    • Shared GPU servers and containerized environments running vulnerable Marimo versions

Will Patching CVE-2026-39987 Cause Downtime?

Patch application impact: Low. Updating to Marimo 0.23.0 or later is the recommended fix. Brief service interruption may occur during the update process.

Mitigation (if immediate patching is not possible): Restrict access to Marimo instances, block access to /terminal/ws, or place Marimo behind an authenticated reverse proxy until the update can be applied.

How Can You Detect CVE-2026-39987 Exploitation?

Exploitation Signatures: 

Monitor for WebSocket connections to the /terminal/ws endpoint, especially from external or unauthorized IP addresses.

MITRE ATT&CK Mapping:

  • T1190 - Exploit Public-Facing Application 

Indicators of Compromise (IOCs/IOAs):

  • WebSocket connections to /terminal/ws from external or unauthorized IP addresses
  • Attempts to access .env files
  • Searches for SSH keys
  • Reading of sensitive files

Behavioral Indicators:

  • Terminal sessions initiated without authentication
  • File system reconnaissance
  • Environment variable extraction

Alerting Strategy:

  • Priority: Critical
  • Trigger alerts for:
    • Access to the /terminal/ws endpoint
    • Terminal sessions without corresponding authentication events
    • Attempts to access .env files, SSH keys, or other sensitive files

Remediation & Response

  • Remediation Timeline:
    • Immediate: Upgrade Marimo to version 0.23.0 or later.
    • As soon as possible: Restrict access to Marimo instances and the /terminal/ws endpoint if upgrades cannot be completed immediately.
    • After remediation: Verify that no vulnerable Marimo versions remain deployed.
  • Rollback Plan:
    • If issues occur after upgrading, restore the previous deployment version and restrict access to the /terminal/ws endpoint until a validated fix can be applied.
    • Record rollback actions according to internal change-management procedures.
  • Incident Response Considerations:
    • Treat internet-accessible Marimo instances as potentially compromised if they were exposed before patching.
    • Review logs for connections to the /terminal/ws endpoint, particularly after April 8, 2026.
    • Investigate access to .env files, SSH keys, environment variables, and other sensitive files.
    • Rotate exposed credentials, including cloud credentials, API keys, SSH keys, and database passwords.
    • Enable detailed logging of WebSocket connection attempts and monitor for suspicious terminal activity.

Compliance & Governance Notes

  • Audit Trail Requirement: 
    • Log WebSocket connection attempts to the /terminal/ws endpoint.
    • Review access logs for connections to /terminal/ws, particularly for instances exposed before remediation.
    • IRecord upgrade and remediation activities as part of normal change-management processes.

See How Fidelis Sandbox Detects Advanced Malware in Real Time

      • Real-time malware analysis in cloud or on-premises environments
      • Key features and capabilities of Fidelis Sandbox
      • Technical specifications and suspicious file submission methods
Download the Data Sheet

CVSS Breakdown Table 

MetricValue Description
Base Score9.8Critical severity vulnerability
Attack VectorNetwork   Exploitable remotely through the vulnerable WebSocket endpoint
Attack ComplexityLowExploitation does not require special conditions
Privileges RequiredNoneNo authentication is required
User Interaction NoneNo user involvement is needed
Scope Unchanged Impact is limited to the vulnerable component
Confidentiality Impact HighAttackers can access sensitive files, credentials, and environment data
Integrity Impact HighArbitrary command execution can modify system data and configurations
Availability ImpactHighCommand execution may disrupt or impact system operations

References:

  1. NVD – CVE-2026-39987
  2. CVE Record: CVE-2026-39987

Vulnerability Overview 

CVE ID: CVE-2026-39987

CVE Title: Marimo Pre-Authentication Remote Code Execution via Terminal WebSocket Authentication Bypass

Severity: Critical

CVSS Score: 9.8

Exploit Status: Actively exploited in the wild

Business Risk: Unauthenticated attackers can gain shell access and execute arbitrary commands, leading to credential theft, data exposure, malware deployment, and system compromise.

Identifying CVEs Cover Banner

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo