Cyber Resilience

CVE-2026-39987

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
23 April 2026
KEV Added
23 April 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.9565 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-39987 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Coreweave Marimo. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

marimo is a reactive Python notebook that prior to version 0.23.0 exposed a pre-authentication remote code execution vulnerability in its terminal WebSocket endpoint. The /terminal/ws handler performed only a running-mode and platform-support check before accepting connections, completely bypassing the validate_auth() call used by other endpoints such as /ws. This omission is tracked as CWE-306 and carries a CVSS 4.0 score of 9.3.

An unauthenticated network attacker can therefore open a WebSocket to /terminal/ws and receive a fully functional PTY shell, enabling arbitrary operating-system command execution on the host running the notebook server. No user interaction or credentials are required, and the attack works regardless of whether the notebook is running in development or other modes that still expose the endpoint.

The official fix is included in release 0.23.0, with the correcting change committed in c24d480 and documented in security advisory GHSA-2679-6mx9-h9xc. The project’s pull request 9098 and associated commit provide the precise diff that adds the missing authentication check to the terminal handler.

The vulnerability appears on CISA’s Known Exploited Vulnerabilities catalog, and public reporting indicates that working exploits were observed in the wild less than ten hours after disclosure. The associated EPSS score reached a peak of 0.8426 and remains above 0.80, confirming sustained exploitation interest after the initial announcement.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other…

more

WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

CWE(s)
KEV Date Added
23 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables unauthenticated RCE via public-facing WebSocket endpoint (T1190), providing direct PTY shell access for Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61757Shared CWE-306both on KEV
CVE-2026-24423Shared CWE-306both on KEV
CVE-2026-41940Shared CWE-306both on KEV
CVE-2025-0108Shared CWE-306both on KEV
CVE-2023-54344Shared CWE-306
CVE-2025-48572Shared CWE-306both on KEV
CVE-2023-54342Shared CWE-306
CVE-2025-52089Shared CWE-306
CVE-2026-35546Shared CWE-306
CVE-2026-1603Shared CWE-306both on KEV

Affected Assets

coreweave
marimo
≤ 0.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that the /terminal/ws endpoint must perform validate_auth() before granting a PTY shell, blocking the unauthenticated RCE path described in the CVE.

prevent

Requires identification and authentication of users before allowing access to system resources, exactly the check omitted from the terminal WebSocket handler.

AC-17 Remote Access partial match
prevent

Mandates authorization and security controls for all remote access connections, covering the unauthenticated WebSocket that exposed the PTY shell.

References