CVE-2026-39987 is a pre-authentication RCE vulnerability in the Marimo Python notebook platform caused by an unauthenticated WebSocket terminal endpoint, with active exploitation confirmed within 10 hours of disclosure and attackers observed targeting cloud credentials, SSH private keys, and API tokens common in data science and ML environments. The affected version boundary is internally inconsistent in source data (0.20.4 and 0.23.0 both cited); 0.23.0 is used as the broader boundary pending NVD authoritative confirmation. Any internet-exposed Marimo instance running an affected version should be treated as a confirmed credential compromise requiring immediate secret rotation, firewall isolation of the WebSocket port, and upgrade to a patched release per the official Marimo project advisory.