CVE-2026-39987

CRITICAL KEV NUCLEI

marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

Title source: cna

Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

Exploits (5)

nomisec SCANNER
by Nxploited · remote
https://github.com/Nxploited/CVE-2026-39987
nomisec SCANNER
by keraattin · poc
https://github.com/keraattin/CVE-2026-39987
nomisec WORKING POC
by mki9 · poc
https://github.com/mki9/CVE-2026-39987_exploit
nomisec WORKING POC
by fevar54 · remote
https://github.com/fevar54/marimo_CVE-2026-39987_RCE_PoC
nomisec SCANNER
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-39987

Nuclei Templates (1)

Marimo <= 0.20.4 - Pre-Auth Terminal WebSocket RCE
CRITICALVERIFIEDby ritikchaddha
Shodan: http.favicon.hash:-1864630356

References (5)

Scores

CVSS v3 9.8
EPSS 0.4553
EPSS Percentile 97.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2026-04-23
VulnCheck KEV 2026-04-09
ENISA EUVD EUVD-2026-20980
CWE
CWE-306
Status published
Products (3)
coreweave/marimo < 0.23.0
marimo-team/marimo < 0.23.0
pypi/marimo 0 - 0.23.0PyPI
Published Apr 09, 2026
KEV Added Apr 23, 2026
Tracked Since Apr 09, 2026