Zero Day MonitorZDM

← Back to list

—

CVE-2026-39987KEVEXPLOITEDPATCHED

pypa · marimo

marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

Affected Products

Vendor	Product	Versions
pypa	marimo	pip/marimo: < 0.23.0

References

https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc(x_refsource_CONFIRM)
https://github.com/marimo-team/marimo/pull/9098(x_refsource_MISC)
https://github.com/marimo-team/marimo/commit/c24d4806398f30be6b12acd6c60d1d7c68cfd12a(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-39987 | marimo-team marimo up to 0.22.x WebSocket Endpoint /terminal/ws validate_auth missing authentication

→ No new info (linked only)

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

marimo@0.23.0

CWECWE-306

PublishedApr 8, 2026

Last enriched4h agov2

Tags

GHSA-2679-6mx9-h9xcpip

Trending Score113🔥

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-40087EXP

LangChain has incomplete f-string validation in prompt templates

HIGHCVE-2026-39981

AGiXT has a Path Traversal in safe_join()

HIGHCVE-2026-34824

Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

MEDIUMCVE-2026-34052

LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

HIGHCVE-2024-49048

TorchGeo Remote Code Execution Vulnerability

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Added to CISA KEV

Apr 8, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity, activelyExploited

Apr 9, 2026

Actively Exploited

Apr 9, 2026

Patch Available

Apr 9, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, marked as actively exploited, and provided a new description with details about CVE-2026-39987.

descriptionseverityactivelyExploited

via VulDB

v17h ago

Initial creation