"The vulnerability, tracked as CVE-2026-39987 with a severity score of 9.3 out of 10, affects all Marimo versions before 0.23.0. It requires no login, no stolen credentials, and no complex exploit."
"Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands."
"The terminal endpoint skips this check entirely, accepting connections from any unauthenticated user and granting a full interactive shell running with the privileges of the Marimo process."
A critical vulnerability in Marimo, tracked as CVE-2026-39987, enables unauthenticated remote code execution on exposed servers. This flaw affects all versions prior to 0.23.0 and was exploited within 10 hours of its disclosure. Attackers can gain complete control of the system by sending a single connection request to a specific endpoint, requiring no credentials. The vulnerability arises from a lack of authentication validation on the terminal WebSocket endpoint, allowing full access to execute arbitrary commands.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]