CVE-2026-39987

Name of the Vulnerable Software and Affected Versions: marimo versions prior to 0.23.0

Description: marimo is a reactive Python notebook. A pre-authentication remote code execution vulnerability exists in the /terminal/ws WebSocket endpoint due to a lack of authentication validation. An unauthenticated attacker can obtain a full PTY shell and execute arbitrary system commands. The /terminal/ws endpoint bypasses authentication checks performed on other WebSocket endpoints, such as /ws. The vulnerability was exploited within approximately 10 hours of discovery. The endpoint /terminal/ws accepts connections directly without authentication, creating a PTY shell. The function pty.fork() is used to create the shell. The vulnerability is due to the absence of a validate auth() call or a @requires("edit") decorator on the /terminal/ws endpoint. The authentication middleware does not actively reject WebSocket connections, relying on endpoint-level enforcement. A proof-of-concept demonstrates obtaining a root shell by connecting to the WebSocket endpoint without authentication.

Recommendations: Upgrade to version 0.23.0 or later. Enforce authentication on all WebSocket endpoints. Consider disabling the terminal functionality or restricting access to it.