John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The Marimo advisory dropped. Nine hours and 41 minutes later, Sysdig’s honeypots caught someone actively exploiting it. No public proof-of-concept existed. The attacker read the advisory, built their own exploit, and connected to the vulnerable endpoint before most people had processed the alert.
CVE-2026-39987 is a pre-auth RCE in Marimo, the reactive Python notebook popular in AI development workflows. CVSS 9.3. The flaw is a WebSocket terminal endpoint that skips authentication. One handshake, full shell. The attacker manually harvested .env files and SSH keys across four sessions in about 90 minutes.
This is a pattern now. Langflow: exploited in 20 hours. Flowise: similar. Marimo: under 10. AI developer tools are being targeted specifically because compromising them hands attackers your LLM API keys, cloud credentials, and proprietary training data directly.
Your “patch within 30 days” policy cannot handle a 9-hour exploitation timeline. Runtime detection isn’t a backup plan. It’s required.
Upgrade to Marimo 0.23.0. Check logs for access to /terminal/ws. Rotate any API keys stored on machines running a pre-patch version.