Detect Marimo Remote Code Execution via Missing Authentication (CVE-2026-39987) in Microsoft Sentinel
CVE-2026-39987 is a critical remote code execution vulnerability in the Marimo reactive notebook framework caused by missing authentication (CWE-306) for critical server-side functions. An unauthenticated remote attacker can invoke kernel execution endpoints to run arbitrary Python code in the context of the Marimo server process. This vulnerability is actively exploited in the wild and listed on the CISA KEV catalog.
MITRE ATT&CK
KQL Detection Query
let MarimoDefaults = dynamic([2718, 8080, 8000]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "marimo" or InitiatingProcessCommandLine has "marimo"
| join kind=inner (
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "marimo" or FileName =~ "python" or FileName =~ "python3"
| where ProcessCommandLine has_any ("exec", "eval", "__import__", "subprocess", "os.system", "shell=True", "Popen")
) on DeviceId
| union (
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort in (MarimoDefaults)
| where InitiatingProcessFileName !in~ ("marimo", "python", "python3")
| extend Suspicious = "Unexpected process accessing Marimo port"
)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, ActionType
| extend AlertDetail = "Potential CVE-2026-39987 exploitation: unauthenticated Marimo RCE"Detects suspicious process execution originating from the Marimo notebook server, including Python subprocesses with shell execution patterns, and unexpected processes communicating on Marimo's default ports. Targets endpoint telemetry to identify post-exploitation activity following unauthenticated RCE.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Marimo notebooks executing system commands as part of normal data science workflows
- Automated CI/CD pipelines running Marimo notebooks that invoke subprocess calls
- Security researchers or developers testing Marimo features locally on internal networks
- Marimo server processes binding to standard ports during normal startup on shared developer machines
Other platforms for CVE-2026-39987
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated Marimo Kernel RCE via HTTP POST
Expected signal: HTTP POST to Marimo port 2718 from loopback or external IP; new child process (sh or bash) spawned under the Marimo/Python process; creation of /tmp/marimo_rce_test.txt by the Marimo server user
- Test 2Marimo RCE Reverse Shell Simulation
Expected signal: Outbound TCP connection from Marimo Python process to loopback port 9999; /bin/sh spawned as child of Python under Marimo server; socket.connect syscall in audit logs
- Test 3Marimo Persistence via Cron Injection through RCE
Expected signal: subprocess.run executing bash crontab command as Marimo server user; crontab modification event in audit logs; new cron entry for the Marimo user account
Unlock Pro Content
Get the full detection package for CVE-2026-39987 including response playbook, investigation guide, and atomic red team tests.