Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure

A critical vulnerability in the Marimo framework has been weaponized in the wild within a single business day of its public disclosure. The flaw, tracked as CVE-2026-39987, is a pre-authentication remote code execution (RCE) bug, granting attackers the ability to run arbitrary commands on affected systems without needing valid login credentials. The speed of exploitation—occurring within a 10-hour window after the CVE details were published—signals a highly aggressive threat landscape where proof-of-concept code is rapidly integrated into active attack chains.

The vulnerability resides within the open-source Marimo computational notebook environment, a tool used by data scientists and researchers. The technical specifics of the exploit path have not been fully detailed, but its pre-auth nature dramatically lowers the barrier for attack, making any internet-exposed, unpatched instance an immediate target. This rapid weaponization follows a familiar pattern for severe RCE flaws in popular developer tools and frameworks, where a public advisory acts as a starting pistol for malicious actors.

The active exploitation places urgent pressure on all organizations and individual developers using Marimo to apply the available security patch immediately. The incident underscores the critical operational security challenge of patch velocity: the window between disclosure and attack is now measured in hours, not days. For security teams, this event is a stark reminder that monitoring for new CVEs in their software stack and executing emergency patch procedures must be treated as a real-time, continuous process to mitigate such fast-moving threats.