# CVE-2026-39987

> Critical pre-authentication remote code execution vulnerability in Marimo, an open-source reactive Python notebook platform (~20,000 GitHub stars). The terminal WebSocket endpoint at /terminal/ws in marimo/_server/api/endpoints/terminal.py performs no authentication check, unlike the primary /ws endpoint which invokes WebSocketConnectionValidator.validate_auth(). Any unauthenticated attacker can complete a WebSocket handshake and obtain a full interactive PTY shell executing commands as the Marimo process user — typically root in default Docker deployments. Active exploitation observed just 9 

- **CVSS:** 9.3 (CRITICAL)
- **EPSS:** 82.2%
- **CISA KEV:** yes
- **CWE:** CWE-306

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-39987
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp