PyPI: marimo
CVE-2026-39987
Safety vulnerability ID: SFTY-20260408-74767
Safety legacy ID: pyup.io-92339
Affected versions of the marimo package are vulnerable to Remote Code Execution due to missing authentication on the terminal WebSocket endpoint. The /terminal/ws endpoint in marimo/_server/api/endpoints/terminal.py accepts WebSocket connections without calling validate_auth() or using a @requires() decorator, unlike other endpoints such as /ws which correctly enforce authentication, allowing unauthenticated users to obtain a full PTY shell. An attacker can connect to the /terminal/ws WebSocket endpoint without credentials to gain an interactive shell and execute arbitrary system commands on the host.
Overview
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Advisory
Affected versions of the marimo package are vulnerable to Remote Code Execution due to missing authentication on the terminal WebSocket endpoint. The /terminal/ws endpoint in marimo/_server/api/endpoints/terminal.py accepts WebSocket connections without calling validate_auth() or using a @requires() decorator, unlike other endpoints such as /ws which correctly enforce authentication, allowing unauthenticated users to obtain a full PTY shell. An attacker can connect to the /terminal/ws WebSocket endpoint without credentials to gain an interactive shell and execute arbitrary system commands on the host.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260408-74767/CVE-2026-39987
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39987
- https://data.safetycli.com/changelogs/marimo/
- https://github.com/advisories/GHSA-2679-6mx9-h9xc
- https://pypi.org/project/marimo
- https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
- https://github.com/marimo-team/marimo/pull/9098
- https://github.com/marimo-team/marimo/commit/c24d4806398f30be6b12acd6c60d1d7c68cfd12a
- https://nvd.nist.gov/vuln/detail/CVE-2026-39987
- https://github.com/advisories/GHSA-2679-6mx9-h9xc
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more