VYPR
Critical severity9.8CISA KEVNVD Advisory· Published Apr 9, 2026· Updated Apr 23, 2026

CVE-2026-39987

CVE-2026-39987

Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
marimoPyPI
< 0.23.00.23.0

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

6