PT-2026-31594 · Marimo · Marimo

Published

2026-04-08

·

Updated

2026-07-09

·

CVE-2026-39987

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Marimo versions prior to 0.23.0
Description Marimo contains a pre-authentication remote code execution (RCE) flaw. The terminal WebSocket endpoint /terminal/ws fails to perform authentication validation, unlike other endpoints such as /ws which correctly utilize the validate auth() function. This omission allows an unauthenticated remote attacker to establish a connection and obtain a full PTY shell, enabling the execution of arbitrary system commands with the privileges of the notebook owner, often as root in default Docker deployments.
Real-world incidents have demonstrated the severity of this issue, including the first publicly documented case of an LLM agent autonomously conducting a full post-exploitation chain. In one instance, an attacker used the flaw to compromise a notebook, harvest cloud credentials, access AWS Secrets Manager for SSH keys, and exfiltrate an entire PostgreSQL database in under an hour. Other observed attacks involved the deployment of the NKAbuse Go backdoor and the use of Docker socket mounts to achieve host root access and Kubernetes credential replay.
Recommendations Update Marimo to version 0.23.0 or later. As a temporary workaround, restrict network access to the /terminal/ws endpoint or disable the terminal feature entirely. Place Marimo notebook servers behind a VPN or Zero Trust Network Access (ZTNA) gateway to block public WAN access. Enable the --token or --password flags upon startup to ensure mandatory authentication.

Exploit

Fix

LPE

RCE

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-05278
CVE-2026-39987
GHSA-2679-6MX9-H9XC
PYSEC-2026-407

Affected Products

Marimo