CVE-2026-39987

CRITICAL SEVERITY

Vulnerability Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

Vulnerability Details

Published Date

April 08, 2026

Last Modified

April 13, 2026

CWE ID

CWE-306

Source

GitHub

Vendor

pip

Product

marimo

External References

https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
https://github.com/marimo-team/marimo/pull/9098
https://github.com/marimo-team/marimo/commit/c24d4806398f30be6b12acd6c60d1d7c68cfd12a
https://github.com/advisories/GHSA-2679-6mx9-h9xc

CVE-2026-39987

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment