CVE-2026-39987: Critical Marimo RCE Exploited in Hours

Severity: CRITICAL | CVSS 9.3 | Active Exploitation Confirmed

The Threat

CVE-2026-39987 is a pre-authenticated remote code execution (RCE) vulnerability in Marimo, a widely used open-source Python notebook platform for data science, machine learning, and analytical workflows. Sysdig researchers confirmed that active exploitation began within 10 hours of public disclosure - one of the fastest weaponization timelines recorded for a data tooling vulnerability in 2026.

With a CVSS score of 9.3, the flaw requires no authentication, meaning an attacker with network access to an exposed Marimo instance can execute arbitrary code on the host server immediately - no credentials, no social engineering, no phishing required. The attack surface is any organization running Marimo notebooks on a network-accessible server or cloud environment.

Why This Matters to East African Organizations

Marimo has seen rapid adoption across East Africa's growing data science community - particularly in Kenyan fintech firms, government analytics units, Ethiopian development finance institutions, and telecommunications companies building AI-driven services. Many of these deployments are hosted on internal servers or cloud instances (AWS, Azure, GCP) that may have network ports inadvertently exposed.

The Horn of Africa has seen an accelerated push toward data-driven government and banking operations under frameworks such as Kenya's National Digital Master Plan, Ethiopia's Digital Ethiopia 2025, and Somalia's emerging e-government initiatives. Organizations in these programs are increasingly running Python-based analytics environments - putting Marimo squarely in scope for this threat.

Critically, pre-auth RCE flaws on data platforms are particularly dangerous because they sit inside trusted internal networks, where lateral movement to databases, financial systems, or citizen data repositories is far easier once initial access is gained.

Impact Assessment for the Region

• Banking and Fintech (Kenya, Ethiopia, Somalia): Data science notebooks connected to transaction databases, fraud detection pipelines, or credit scoring models become direct entry points. A compromised Marimo server can expose customer PII, account data, and violate CBK cybersecurity guidelines and Kenya Data Protection Act 2019 obligations.
• Government Analytics Units: Ministries and agencies using Marimo for policy modelling or budget analysis risk unauthorized access to sensitive national datasets. Under Somalia's National Communications Authority rules and Kenya's Computer Misuse and Cybercrimes Act 2018, a breach of this nature carries serious legal and reputational consequences.
• Telecommunications and Critical Infrastructure: Telcos running network analytics or customer intelligence platforms on Marimo face potential service disruption and data exfiltration at scale.
• Healthcare and NGOs: Health data platforms using Python notebooks for epidemiological analysis could expose patient records, violating donor compliance requirements and local data protection law.

Immediate Actions - Do This Now

• Audit all Marimo deployments immediately. Identify every instance running in your environment - on-premises, cloud, or developer workstations. Check version numbers against the patched release from the Marimo maintainers.
• Patch or isolate without delay. Apply the vendor-issued patch as a priority. If patching cannot be completed within 24 hours, take the Marimo instance offline or restrict network access to localhost only using firewall rules.
• Scan for indicators of compromise (IOCs). Review server logs, running processes, and network connections on hosts running Marimo. Look for unexpected outbound connections, new user accounts, or unusual Python process spawning.
• Restrict network exposure now. Marimo notebooks should never be exposed directly to the public internet. Enforce access via VPN, internal network, or authenticated reverse proxy. Verify your firewall and security group rules immediately.
• Alert your SOC and incident response team. Given the 10-hour exploitation window, assume that any unpatched, internet-accessible Marimo instance may already be compromised. Treat this as a potential active incident, not a future risk.

DRONGO Recommendation

DRONGO's SOC team is actively monitoring threat intelligence feeds for IOCs related to CVE-2026-39987 across East African networks. Our penetration testing and vulnerability management teams can rapidly assess whether your organization's data science infrastructure is exposed - and help you remediate before an attacker does.

Is your organization protected? Request a free security assessment.