Marimo versions 0.20.4 and earlier contain a critical pre-authentication RCE (CVE-2026-39987, CVSS 9.8) via an unauthenticated WebSocket terminal endpoint that permits arbitrary code execution with no credentials required. Active exploitation was observed within 10 hours of public disclosure, with confirmed credential harvesting (cloud keys, SSH private keys) completing in under three minutes per session. Organizations should immediately upgrade to Marimo 0.23.0, block external access to all Marimo instances pending patching, and rotate all credentials accessible from any host that ran a vulnerable version.