🇬🇧 English Version#
TL;DR#
A critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-39987, CVSS 9.3) has been discovered in Marimo, a reactive Python notebook. The /terminal/ws WebSocket endpoint lacks authentication, allowing unauthenticated attackers to obtain a full PTY shell and execute arbitrary system commands. The flaw is fixed in version 0.23.0.
What Happened#
Marimo is an open-source reactive Python notebook. Security researchers identified that the WebSocket endpoint /terminal/ws does not validate authentication, unlike other endpoints such as /ws. This oversight enables an unauthenticated attacker to connect to the terminal and gain a fully interactive shell, leading to arbitrary command execution.
Technical Details#
- CVE ID: CVE-2026-39987
- Weakness Type: CWE-306 (Missing Authentication for Critical Function)
- Affected Versions: Prior to 0.23.0
- Root Cause: The
/terminal/wsendpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. - Attack Vector: Network-based, low complexity, no privileges required, no user interaction.
- Proof of Concept: Publicly available; exploitation demonstrated within hours of disclosure.
Impact & Risk#
- CVSS Score: 9.3 (Critical)
- Impact: Complete compromise of confidentiality, integrity, and availability of the host system.
- Known Exploitation: CISA has added this CVE to its Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.
Mitigation / Recommendations#
- Immediately upgrade to Marimo version 0.23.0 or later.
- If immediate upgrade is not possible, restrict network access to the
/terminal/wsendpoint (e.g., via firewall or reverse proxy). - Monitor logs for unauthorized WebSocket connections to
/terminal/ws. - Apply the principle of least privilege to the Marimo process.
References#
- GitHub Commit Fix
- GitHub Pull Request
- GitHub Security Advisory
- CISA Known Exploited Vulnerabilities
- Sysdig Blog: Exploitation Details
🇹🇭 ฉบับภาษาไทย#
ไม่มีเนื้อหาภาษาไทย
📋 ข้อมูลอ้างอิง#
| รายการ | ข้อมูล |
|---|---|
| ระดับความรุนแรง | 🔴 Critical |
| แหล่งที่มา | # |
| วันที่เผยแพร่ | 2026-06-03 |
| ภาษาต้นฉบับ | en |
📌 บทความนี้สร้างโดย AI กรุณาตรวจสอบก่อน publish