Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical Pre-Authentication Remote Code Execution in Marimo exploited in the wild, Patch Immediately!
Image
Published : 13/04/2026
. * Last Update: 13/04/2026
* Affected products:
→ Marimo versions prior to 0.20.4.* Type: Pre-authentication Remote Code Execution
* CVE/CVSS:
- CVE-2026-39987: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Sources
Github - https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
Risks
Marimo is an open-source reactive Python notebook used to build internal data pipelines by technical teams. It often touches sensitive data by connecting to databases, internal APIs and backend services with often elevated credentials. By successfully exploiting CVE-2026-39987, an unauthenticated attacker can execute code on the server Marimo resides with root privileges, which is often the default privileges the Marimo process has.
The vulnerability has a severe impact on the confidentiality, integrity and availability of the affected server, requires no user interaction and can be exploited remotely.
The security advisory includes a proof-of-concept. The vulnerability started being exploited in the wild only after hours of disclosure and should therefore be remediated as fast as possible.
Description
CVE-2026-39987 is a Remote Code Execution vulnerability caused by missing authentication in the terminal WebSocket endpoint. Normally WebSocket endpoints correctly call the validate_auth() function before accepting connections. The “/terminal/ws” endpoint, on the other hand, only checks the running mode and platform support before accepting connections and skips the authentication verification step.
As a result, an unauthenticated attacker can obtain a full interactive shell on the server with the privileges of the Marimo process, which is commonly root in default Docker images.
Recommended Actions
Limit Exposure
Restrict network access to marimo instances using firewall rules, limiting exposure to trusted networks only.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-39987
EndorLabs - https://www.endorlabs.com/learn/root-in-one-request-marimos-critical-pre-auth-rce-cve-2026-39987
SentinelOne - https://www.sentinelone.com/vulnerability-database/cve-2026-39987/