What happened

CISA added Marimo’s CVE-2026-39987 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-23, confirming active exploitation in the wild CISA KEV. The entry tracks a pre-authorization remote code execution flaw in Marimo that enables unauthenticated attackers to obtain shell access and run arbitrary system commands NVD entry. CISA set a remediation due date of 2026-05-07 and instructs orgs to apply vendor mitigations, follow applicable BOD 22-01 cloud guidance, or discontinue use if mitigations are unavailable CISA KEV.

Marimo’s own advisory aligns with this characterization and provides vendor-side guidance for remediation under GHSA-2679-6mx9-h9xc GitHub advisory. The CVE record is also live at MITRE and NVD for tracking and inventory mapping MITRE CVE NVD entry.

Why it matters

When a CVE hits KEV, CISA is signaling observed exploitation—not theoretical risk CISA KEV. Pre-auth RCE is high-leverage: unauthenticated access plus command execution means turnkey initial access for any internet-exposed instance NVD entry. The CISA entry marks the vulnerability as actively exploited and mandates rapid action with a hard deadline, compressing your response window CISA KEV.

For Marimo shops, this is not a “wait for maintenance window” issue. A working exploit requires no credentials and yields shell-level execution, a combination that reliably converts exposure into compromise if left unaddressed GitHub advisory NVD entry. CISA lists ransomware campaign use as unknown, but the exploitation status alone warrants immediate containment and patching CISA KEV.

Technical detail

CVE-2026-39987 affects the Marimo product and is classified as a pre-authorization remote code execution flaw, enabling arbitrary system command execution by an unauthenticated attacker NVD entry GitHub advisory. The weakness maps to CWE-306 (Missing Authentication for Critical Function), reflecting that the vulnerable path lacks required authentication before invoking sensitive functionality CISA KEV.

Key facts based on the records provided:

• Product/vendor: Marimo (Marimo) NVD entry
• Exploitation status: Confirmed in the wild (inclusion in KEV) CISA KEV
• Impact: Unauthenticated shell access and arbitrary command execution (RCE) GitHub advisory
• Due date for remediation (federal agencies): 2026-05-07 CISA KEV

Version/patch specifics are controlled by the vendor advisory. Use the GHSA to determine affected versions and the exact mitigation or update path GitHub advisory. Track the CVE for updates or severity adjustments via NVD and MITRE as new details are published NVD entry MITRE CVE.

Defense

• Patch/mitigate now per the vendor’s GHSA guidance. Do not delay with a pre-auth RCE in KEV scope GitHub advisory CISA KEV.
• If mitigations are unavailable, follow CISA’s directive: apply applicable BOD 22-01 guidance for cloud services or discontinue use until mitigated CISA KEV.
• Maintain authoritative inventory by CVE and product name to ensure all Marimo instances are accounted for during remediation, and track the CVE record for changes as the vendor updates their advisory NVD entry GitHub advisory.

Execution here is binary: either your exposed Marimo is patched/mitigated by the due date, or it’s a known-exploited foothold waiting to be taken CISA KEV.

Lyrie Verdict

Pre-auth RCE plus a KEV flag is exactly the class of issue Lyrie prioritizes for autonomous response. We attach first-class context for CVE-2026-39987 and drive machine-speed triage against assets running Marimo, with enforcement posturing biased toward containment until vendor mitigations land NVD entry CISA KEV. The objective: remove human latency between “KEV-listed” and “risk neutralized,” then hand operators a clean state to verify against the vendor advisory’s final fix GitHub advisory.