🚨 CRITICAL ALERT: Active Zero-Day Exploits

Urgent: Attackers are actively exploiting CVE-2026-39987 (CVSS 9.8) in Marimo Python notebooks, achieving pre-auth RCE via unauthenticated WebSocket connections within hours of disclosure on April 8, 2026. Real-world attacks include credential theft, manual shell access, and malware deployment like NKAbuse botnet—patch immediately to prevent full server compromise.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2026-39987 (CVSS: 9.8): Marimo reactive Python notebook prior to 0.23.0 exposes /terminal/ws WebSocket without authentication, granting unauthenticated attackers full PTY shell and arbitrary command execution. Exploited in the wild within 10 hours of disclosure by methodical operators stealing credentials/SSH keys and deploying malware; affects data science/ML environments. View NVD | CISA KEV

⚡ Immediate Actions Required

Do this NOW:

• Upgrade Marimo to 0.23.0 or later across all instances.
• Block external access to Marimo ports (default 2718); use firewalls/VPC rules.
• Scan for exposed instances: Check /terminal/ws endpoint for unauthenticated access.
• Review logs for WebSocket connections post-April 8, 2026; hunt for anomalous shells, .env/SSH key theft, or NKAbuse IOCs.
• Monitor CISA KEV for updates—active exploitation confirmed by Sysdig and others.