CVE-2026-39987: An AI Agent Hacked a Database in Under an Hour

#The attacker didn't do the hacking. The AI did.

Read that again.

An unknown threat actor exploited CVE-2026-39987, a pre-authenticated remote code execution vulnerability in Marimo (an open-source Python notebook tool). That's the boring part. RCE in an exposed web app, we see it every week.

The interesting part is what happened next. Instead of manually poking around the compromised system, the attacker handed control to an LLM agent and let it do the post-exploitation.

The AI agent:

1. Found cloud credentials on the compromised host
2. Used them to call AWS Secrets Manager
3. Retrieved an SSH private key
4. Authenticated to a downstream bastion server
5. Opened 8 parallel SSH sessions
6. Dumped the schema and full contents of an internal PostgreSQL database

Total time: just over one hour. Four pivots. Entire database exfiltrated.

Sysdig documented the whole thing and it's the first confirmed case of an LLM agent being used for real-world intrusion. Not a demo. Not a research paper. An actual attack against an actual target.

#How they know it was an AI agent.

The forensics are fascinating. Here's what gave it away:

The attacker bundled six independent SQL SELECT statements into a single psql invocation using a HEREDOC block. That's not how humans work. A human attacker would run queries one at a time, look at the results, and decide what to do next. A human explores interactively.

An LLM agent batches everything into one round trip because it wants all the data returned in a single tool call. It's optimizing for efficiency, not stealth. The HEREDOC pattern, the parallel SSH sessions, the mechanical precision of the credential chain - it all screams "automated agent, not human hands."

The attacker essentially said "here's access to this system, go get everything valuable" and the AI figured out the rest.

#Why this should terrify you.

Up until now, the security industry has been worried about AI writing better phishing emails. That's real, but it's incremental. A better email is still an email. The defense is still "train your people not to click."

This is different. This is an AI agent doing the actual hacking. Not writing the exploit. Not crafting the phish. Performing the post-exploitation, lateral movement, credential harvesting, and data exfiltration autonomously.

Think about what that means for the attacker's economics:

Before AI agents: The attacker needs skilled humans to manually explore compromised systems. Each intrusion requires hands-on-keyboard time. The attacker's throughput is limited by how many skilled operators they have.

After AI agents: The attacker exploits the initial vulnerability (which can also be automated), then deploys an LLM agent to do everything else. One attacker can run dozens of simultaneous intrusions. The bottleneck is no longer human skill. It's compute.

The barrier to entry for sophisticated post-exploitation just dropped to zero. You don't need to know how AWS Secrets Manager works. You don't need to know PostgreSQL. You don't need to know SSH pivoting. The AI knows. You just point it at the target.

#"But Marimo is a niche tool, this doesn't affect me."

Wrong framing. Marimo is just the entry point. The lesson here isn't about Marimo. It's about what happens after initial access.

Replace Marimo with any exposed web application your business runs. Your WordPress site with a vulnerable plugin. Your unpatched Exchange server. Your firewall with a known CVE. Your VPN with an auth bypass.

The initial access vector doesn't matter as much as what's reachable once someone gets in. And now "someone" includes AI agents that can navigate your infrastructure, find your secrets, and exfiltrate your data faster than any human.

#What to do.

1. Stop leaving credentials on hosts. The AI agent found cloud credentials sitting on the compromised Marimo server. Credentials should live in a secrets manager, injected at runtime, not stored in files on the filesystem. Use HashiCorp Vault, AWS Secrets Manager, or Doppler. There's no reason for an API key to live in a config file on a server in 2026.

2. Segment your network. The attacker pivoted from a web-facing notebook to an internal bastion server to a database. That means the compromised system had network access to all of those resources. Network segmentation limits what an attacker (or their AI agent) can reach from any given system. Zero trust architecture means no system trusts another by default.

3. Monitor for anomalous behavior. Eight parallel SSH sessions dumping a database is not normal activity. A cloud credential being used from an unexpected IP to access Secrets Manager is not normal activity. Wazuh (free, open source) or your cloud provider's native monitoring should be catching this. If nobody's watching the alerts, the alerts don't matter.

4. Patch your exposed applications. Marimo had a fix (version 0.20.5+). The vulnerability was exploited within hours of disclosure. If you run any web-facing application, you need a patching process that moves at the speed of exploitation, not the speed of your quarterly maintenance window. Subscribe to CISA's KEV catalog for what's actively being exploited.

5. Audit what's internet-facing. Run Shodan or Censys against your public IPs. You might be surprised what's exposed. Notebooks, dashboards, admin panels, dev tools that should be behind a VPN or not accessible at all. Every exposed service is an entry point for the next AI-powered attack.

#Further reading

• Sysdig: AI Agent at the Wheel - the full incident analysis
• NVD: CVE-2026-39987 - vulnerability details
• OWASP Top 10 for LLM Applications - AI-specific security risks
• HashiCorp Vault - stop putting credentials on hosts
• Shodan - find out what you're exposing to the internet