Summary
| Vulnerability Name | Marimo WebSocket Authentication Bypass (CVE-2026-39987) |
| Released on | April 14, 2026 |
| Affected Component | Marimo |
| Affected Version | Marimo < 0.23.0 |
| Vulnerability Type | Authentication bypass |
| Exploitation Condition | 1. User authentication: not required. 2. Preconditions: default configurations. 3. Trigger mode: remote. |
| Impact | Exploitation difficulty: easy. Attackers can exploit this vulnerability to execute arbitrary code without authorization. Severity: critical. This vulnerability may result in remote code execution. |
| Official Solution | Available |
About the Vulnerability
Component Introduction
Marimo is an open-source, next-generation Python notebook that uses a reactive computing model. When the value of a variable changes, all cells dependent on that variable are automatically executed. This fundamentally eliminates the implicit state and irreproducibility issues caused by the manual execution order in traditional Jupyter notebooks. Marimo is a pure Python file (.py) that natively supports Git version control, and can be deployed as an interactive web application or script with a single click.
Vulnerability Description
On April 14, 2026, Sangfor FarSight Labs received notification of the authentication bypass vulnerability in Marimo (CVE-2026-39987), classified as critical in threat level.
Specifically, Marimo contains a pre-authentication remote code execution vulnerability for versions earlier than 0.23.0. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.
Affected Versions
The following Marimo versions are affected:
Marimo < 0.23.0
Remediation Solutions
Official Solutions
The latest version has been officially released to fix the vulnerability. Affected users are advised to update Marimo to 0.23.0 or later.
Download link: https://github.com/marimo-team/marimo/releases
Temporary Solutions
-
Disable unused functional modules to reduce attack entry points.
-
Follow the principle of least privilege to strictly control the scope of permissions for sensitive operations.
-
Do not expose services to the Internet unless necessary, to limit the access sources to trusted ranges.
-
Regularly update the system and components to secure versions so that known vulnerabilities can be patched at the earliest opportunity.
Sangfor Solutions
Proactive Vulnerability Detection
The following Sangfor services can proactively detect CVE-2026-39987 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:
- Athena Managed Detection and Response (MDR): The corresponding detection solution will be released on May 30, 2026. The rule ID is SF-2026-01013.
- Athena Extended Detection and Response (XDR): The corresponding detection solution will be released on April 19, 2026. The rule ID is SF-2026-00874.
Timeline
On April 14, 2026, Sangfor FarSight Labs received notification of the authentication bypass vulnerability in Marimo (CVE-2026-39987).
On April 14, 2026, Sangfor FarSight Labs released a vulnerability alert.
Reference
https://github.com/advisories/GHSA-2679-6mx9-h9xc
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
