CVE-2026-39987 Splunk · SPL

Detect Marimo Remote Code Execution via Missing Authentication (CVE-2026-39987) in Splunk

CVE-2026-39987 is a critical remote code execution vulnerability in the Marimo reactive notebook framework caused by missing authentication (CWE-306) for critical server-side functions. An unauthenticated remote attacker can invoke kernel execution endpoints to run arbitrary Python code in the context of the Marimo server process. This vulnerability is actively exploited in the wild and listed on the CISA KEV catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("wineventlog:security", "linux:audit", "osquery:results", "xmlwineventlog:microsoft-windows-sysmon/operational")
| eval is_marimo_proc = if(match(process_name, "(?i)marimo") OR match(cmdline, "(?i)marimo"), 1, 0)
| eval is_shell_exec = if(match(cmdline, "(?i)(subprocess|os\.system|exec|eval|Popen|shell=True|__import__)"), 1, 0)
| eval is_network_access = if(dest_port IN ("2718", "8080", "8000") AND NOT match(process_name, "(?i)(marimo|python|python3)"), 1, 0)
| where is_marimo_proc=1 AND is_shell_exec=1 OR is_network_access=1
| stats count min(_time) as first_seen max(_time) as last_seen values(cmdline) as commands values(src_ip) as source_ips by host, user, process_name
| eval alert = "CVE-2026-39987: Marimo unauthenticated RCE indicator"
| sort - count
critical severity medium confidence

Splunk query correlating Marimo process execution with shell/subprocess invocation patterns across Windows Security events, Linux audit logs, and Sysmon. Also flags unexpected source processes connecting to Marimo's default listening ports.

Data Sources

Windows Event LogLinux AuditSysmonosquery

Required Sourcetypes

wineventlog:securitylinux:auditosquery:resultsxmlwineventlog:microsoft-windows-sysmon/operational

False Positives & Tuning

  • Data science workflows in Marimo notebooks that legitimately invoke system utilities or shell commands
  • Automated testing frameworks executing Marimo notebooks via subprocess
  • Developers running Marimo locally and connecting from build tools or IDEs on non-standard ports
  • Container orchestration probes hitting Marimo health check endpoints on default ports

Other platforms for CVE-2026-39987

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Marimo Kernel RCE via HTTP POST

    Expected signal: HTTP POST to Marimo port 2718 from loopback or external IP; new child process (sh or bash) spawned under the Marimo/Python process; creation of /tmp/marimo_rce_test.txt by the Marimo server user

  2. Test 2Marimo RCE Reverse Shell Simulation

    Expected signal: Outbound TCP connection from Marimo Python process to loopback port 9999; /bin/sh spawned as child of Python under Marimo server; socket.connect syscall in audit logs

  3. Test 3Marimo Persistence via Cron Injection through RCE

    Expected signal: subprocess.run executing bash crontab command as Marimo server user; crontab modification event in audit logs; new cron entry for the Marimo user account

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-39987 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1203Exploitation for Client Execution

Same Tactic: Initial Access

Popular Detections