Back to Intelligence

CVE-2026-39987: CISA Flags Active Exploitation of Marimo Unauthenticated RCE — Detection and Remediation

SA
Security Arsenal Team
April 23, 2026
5 min read

On April 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-39987 to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects Marimo, an open-source reactive notebook for Python, and involves an unauthenticated code execution flaw. The inclusion in the KEV Catalog is based on reliable evidence of active exploitation in the wild.

For federal agencies, this triggers Binding Operational Directive (BOD) 22-01, requiring remediation by the mandated due date. However, the risk extends far beyond the federal enterprise. Development teams, data science platforms, and organizations using Marimo for interactive notebooks are currently exposed to a critical attack vector that allows malicious actors to execute arbitrary code without credentials. Given the nature of development environments, a compromise here often serves as a beachhead for lateral movement into production data stores.

Technical Analysis

Affected Component: Marimo (versions prior to the security patch referenced in the vendor advisory).

Vulnerability Type: Unauthenticated Remote Code Execution (RCE).

CVE ID: CVE-2026-39987

CVSS Score: Critical (Score pending, but assessed as Critical due to unauthenticated access and total system impact).

Mechanism of Exploitation: Marimo runs a local web server to host its reactive notebook interface. CVE-2026-39987 allows an attacker to send a specially crafted HTTP request to a vulnerable endpoint without requiring authentication. The application improperly sanitizes this input, leading to the deserialization of untrusted data or a bypass of input validation mechanisms. Consequently, the server executes arbitrary Python code within the context of the Marimo process.

Attack Chain:

  1. Reconnaissance: Attacker identifies a Marimo instance exposed to the network (often on TCP ports 2718 or 8000).
  2. Exploitation: Attacker sends a malicious payload to the vulnerable HTTP endpoint.
  3. Execution: The Marimo server (Python interpreter) executes the attacker's code.
  4. Objective: The attacker establishes a reverse shell, steals environment variables (API keys, secrets), or moves laterally to connected databases.

Exploitation Status: Confirmed Active Exploitation.

Detection & Response

The following detection rules focus on identifying the malicious execution patterns resulting from a successful exploitation of CVE-2026-39987. While preventing the initial HTTP request is ideal (via WAF), detecting the process injection or shell spawn is critical for ensuring defense-in-depth.

SIGMA Rules

YAML
---
title: Potential Marimo Exploitation - Spawning Shell on Windows
id: 8a2c5e01-7b4d-4c2e-9a1f-3d5f6e7a8b9c
status: experimental
description: Detects the Python Marimo application spawning a Windows shell (cmd.exe or powershell.exe), typical post-exploitation behavior for CVE-2026-39987.
references:
 - https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/04/23
tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1059.003
logsource:
 category: process_creation
 product: windows
detection:
 selection_parent:
 ParentImage|endswith: '\python.exe'
 ParentCommandLine|contains: 'marimo'
 selection_child:
 Image|endswith:
   - '\cmd.exe'
   - '\powershell.exe'
 condition: all of selection_*
falsepositives:
 - Legitimate developer debugging or notebook automation scripts
level: high
---
title: Potential Marimo Exploitation - Spawning Shell on Linux
id: 9b3d6f12-8c5e-5d3f-0b2g-4e6g7f8b9c0d
status: experimental
description: Detects the Python Marimo application spawning a shell (sh, bash, zsh) on Linux, indicating potential RCE exploitation.
references:
 - https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/04/23
tags:
 - attack.execution
 - attack.t1059.004
logsource:
 category: process_creation
 product: linux
detection:
 selection_parent:
 ParentImage|endswith: '/python'
 ParentCommandLine|contains: 'marimo'
 selection_child:\  Image|endswith:
   - '/sh'
   - '/bash'
   - '/zsh'
 condition: all of selection_*
falsepositives:
 - Legitimate developer operations within the notebook
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Marimo parent process spawning suspicious child shells
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has "python"
| where InitiatingProcessCommandLine has "marimo"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh", "zsh")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Marimo processes listening on the network and check for suspicious shell children
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Exe, 
  Username 
FROM pslist()
WHERE Name =~ 'python' AND CommandLine =~ 'marimo'
-- Note: Correlate with netstat() in a live hunt to find listeners on port 2718

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation script for CVE-2026-39987
# Ensures Marimo is updated to the latest patched version

# Function to log messages
log() {
    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1"
}

log "Starting remediation for CVE-2026-39987..."

# Check if pip is available
if ! command -v pip3 &> /dev/null; then
    log "ERROR: pip3 not found. Please install Python/pip."
    exit 1
fi

# Upgrade Marimo to the latest version
log "Upgrading Marimo via pip..."
pip3 install --upgrade marimo

if [ $? -eq 0 ]; then
    log "SUCCESS: Marimo upgraded successfully."
else
    log "ERROR: Failed to upgrade Marimo. Check permissions."
    exit 1
fi

# Restart running Marimo instances (if running as a service)
# Adjust the service name based on your deployment
if systemctl list-units --type=service | grep -q "marimo"; then
    log "Restarting Marimo service..."
    systemctl restart marimo
    log "Service restarted."
else
    log "No systemd service found for Marimo. Please manually restart your notebooks."
fi

log "Remediation complete. Verify version with: pip3 show marimo"

Remediation

  1. Patch Immediately: Update Marimo to the latest patched version immediately. Use the vendor-supplied update mechanisms (pip). If running via Docker, pull the latest image from the official repository.
  2. Network Segmentation: Marimo notebooks are development tools and should not be exposed directly to the public internet. Ensure that instances are behind authentication proxies (e.g., OAuth, OIDC) or accessible only via SSH tunneling/VPN.
  3. Review Logs: Conduct a retrospective review of web server logs (access logs) for the Marimo application. Look for unusual POST requests or requests that resulted in 500 errors which might indicate exploitation attempts.
  4. CISA Compliance: Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by the due date specified in BOD 22-01 to mitigate the risk to federal infrastructure.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisa-kevcve-2026-39987marimo

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action