Share
## https://sploitus.com/exploit?id=AABFEAE2-93E2-55B7-8059-99B47F6740D9
# CVE-2026-39987 - Marimo Pre-Auth RCE
**Unauthenticated Remote Code Execution in Marimo via WebSocket Terminal**



---
### ๐ Overview
**CVE-2026-39987** is a critical **Pre-Authentication Remote Code Execution** vulnerability affecting Marimo versions prior to 0.23.0. The `/terminal/ws` WebSocket endpoint completely bypasses authentication, allowing any unauthenticated attacker to obtain a full interactive PTY shell with the privileges of the Marimo process (typically **root** in Docker environments).
---
## ๐ ๏ธ Vulnerability Details
- **CVE ID**: CVE-2026-39987
- **Affected Product**: Marimo (Reactive Python Notebook)
- **Affected Versions**: `marimo = 0.23.0`
- **Attack Vector**: Network (Unauthenticated)
- **Affected Endpoint**: `/terminal/ws`
- **Impact**: Full remote shell (PTY) as root
---
## โจ PoC Features
- Automatic `http://` โ `ws://` and `https://` โ `wss://` conversion
- Intelligent PTY buffer draining
- Reliable command execution
- Clean, minimal and stable code
- Ready for Docker lab testing
---
## ๐ Repository Structure
CVE-2026-39987/
โโโ CVE-2026-39987-poc.py โ Main Exploit
โโโ docker-vulnerable/
โ โโโ Dockerfile
โ โโโ docker-compose.yml
โโโ notebooks/ โ Persistent notebooks (optional)
โโโ README.md
โโโ LICENSE
---
## ๐ Usage
### 1. Install dependency
```bash
pip install websocket-client
```
### 2. Run the Exploit
```bash
# Basic usage
python3 CVE-2026-39987-poc.py http://localhost:2718 "id && whoami && hostname"
# System enumeration
python3 CVE-2026-39987-poc.py http://localhost:2718 "id && whoami && cat /etc/os-release && ls -la /app"
# Read sensitive files
python3 CVE-2026-39987-poc.py http://target:2718 "cat /etc/passwd && cat /root/.bash_history"
```
---
## ๐งช Vulnerable Docker Lab
```bash
cd docker-vulnerable
docker compose up --build -d
```
Then test:
```bash
python3 CVE-2026-39987-poc.py http://localhost:2718 "id && whoami"
```
---
## ๐ก๏ธ Mitigation
- Upgrade immediately to `marimo >= 0.23.0`
- Do not expose Marimo directly to the internet
- Place behind a reverse proxy with authentication
- Run as non-root user whenever possible
- Restrict access to `/terminal/ws` via firewall or proxy rules
---
## โ ๏ธ Disclaimer
This Proof of Concept is intended for **educational purposes** and **authorized security testing only**. The author is not responsible for any misuse or damage caused by this tool. Ensure you have explicit permission before testing any system.
Use ethically and responsibly.
---
## ๐ References
- [Official CVE Advisory](#)
- [Marimo GitHub Repository](https://github.com/marimo-team/marimo)
- [NVD Entry (CVE-2026-39987)](#)
---
*Made for security research & responsible disclosure.*