A critical pre-authentication remote code execution vulnerability in a popular AI orchestration framework is now being exploited in the wild. This flaw provides unauthenticated attackers with a direct path to shell access on development and production AI workstations.
Tracked as CVE-2026-39987, the vulnerability resides in the Marimo reactive notebook for Python. Attackers are currently exploiting the lack of authorization in the core execution engine to inject malicious code and exfiltrate environment variables, including LLM API keys and cloud access tokens. CISA added this flaw to the KEV catalog on April 23 after observing its use in automated campaigns targeting exposed researcher notebooks.
The rapid adoption of collaborative AI tools has outpaced traditional security governance, resulting in shadow AI deployments that lack basic perimeter isolation. When developer tools are exposed to the public internet without authentication, they become the most efficient vehicle for an attacker to compromise the organization entire AI data pipeline.
– Immediately upgrade Marimo to the latest security version and verify that authentication is enabled for all instances.
– Place all AI development notebooks and orchestration frameworks behind a Zero Trust gateway or VPN.
– Implement strict egress filtering for development environments to block unauthorized communication with external C2 servers.
– Audit your cloud environments for any unmanaged Marimo instances that may have been deployed outside of IT oversight.
AI infrastructure represents a new and high-value target for unauthenticated remote code execution that bypasses standard endpoint security. #CodeDefence #Marimo #AISecurity #CISA
/
