Q: Is there a public Exp? (PoC/Wild Exploitation)

🔍 **Public Exploitation: YES** * **PoC Available:** Yes. * **Source:** ProjectDiscovery Nuclei Templates. * **Status:** Automated scanning tools can detect and exploit this easily. 🧪

Q: Is it fixed officially? (Patch/Mitigation)

✅ **Official Fix: YES** * **Patch Status:** Fixed in version **0.23.0** and above. * **Commit:** See commit `c24d4806398f30be6b12acd6c60d1d7c68cfd12a`. * **Advisory:** GHSA-2679-6mx9-h9xc confirms the fix. 🛠️

Q: Is it urgent? (Priority Suggestion)

🔥 **Urgency: CRITICAL** * **Priority:** Patch Immediately. * **Reason:** Unauthenticated RCE is a top-tier threat. * **Action:** Upgrade to `marimo >= 0.23.0` NOW. Do not wait. ⏳

Question 1

What is this vulnerability? (Essence + Consequences)

Accepted Answer

🚨 **CVE-2026-39987: Critical Access Control Failure**  *   **Essence:** The `marimo` interactive Python notebook has a gaping hole in its security. *   **Flaw:** The terminal WebSocket endpoint (`/terminal/ws`) lacks aut…

Question 2

Root Cause? (CWE/Flaw)

Accepted Answer

🛡️ **Root Cause: CWE-306**  *   **CWE ID:** CWE-306 (Missing Authentication for Critical Function). *   **The Flaw:** The `/terminal/ws` endpoint was deployed without proper identity validation. *   **Impact:** No token,…

Question 3

Who is affected? (Versions/Components)

Accepted Answer

📦 **Affected Targets**  *   **Vendor:** marimo-team. *   **Product:** marimo (Interactive Python Notebook). *   **Versions:** All versions **< 0.23.0**. *   **Specific Note:** Versions **<= 0.20.4** are explicitly confir…

Question 4

What can hackers do? (Privileges/Data)

Accepted Answer

💻 **Attacker Capabilities**  *   **Privileges:** Full system access via PTY shell. *   **Actions:** Execute **any** OS command. *   **Data:** Read, write, delete, or exfiltrate server data. *   **Scope:** Remote Code Exe…

Question 5

Is exploitation threshold high? (Auth/Config)

Accepted Answer

📉 **Exploitation Threshold: LOW**  *   **Auth Required?** NO. Unauthenticated. *   **Config Required?** Minimal. Just need network access to the WebSocket endpoint. *   **Difficulty:** Trivial.…

Question 6

Is there a public Exp? (PoC/Wild Exploitation)

Accepted Answer

🔍 **Public Exploitation: YES**  *   **PoC Available:** Yes. *   **Source:** ProjectDiscovery Nuclei Templates. *   **Status:** Automated scanning tools can detect and exploit this easily. 🧪

Question 7

How to self-check? (Features/Scanning)

Accepted Answer

🔎 **Self-Check Steps**  *   **Check Version:** Is your `marimo` version < 0.23.0? *   **Scan:** Use Nuclei with the CVE-2026-39987 template. *   **Verify:** Try connecting to `/terminal/ws` without auth tokens.…

Question 8

Is it fixed officially? (Patch/Mitigation)

Accepted Answer

✅ **Official Fix: YES**  *   **Patch Status:** Fixed in version **0.23.0** and above. *   **Commit:** See commit `c24d4806398f30be6b12acd6c60d1d7c68cfd12a`. *   **Advisory:** GHSA-2679-6mx9-h9xc confirms the fix. 🛠️

Question 9

What if no patch? (Workaround)

Accepted Answer

🚧 **Mitigation (If No Patch)**  *   **Network Isolation:** Block external access to the WebSocket port. *   **Reverse Proxy:** Enforce authentication at the Nginx/HAProxy level before reaching `/terminal/ws`. *   **Disab…

Question 10

Is it urgent? (Priority Suggestion)

Accepted Answer

🔥 **Urgency: CRITICAL**  *   **Priority:** Patch Immediately. *   **Reason:** Unauthenticated RCE is a top-tier threat. *   **Action:** Upgrade to `marimo >= 0.23.0` NOW. Do not wait. ⏳

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-39987 — AI Deep Analysis Summary

Q1What is this vulnerability? (Essence + Consequences)

Q2Root Cause? (CWE/Flaw)

Q3Who is affected? (Versions/Components)

Q4What can hackers do? (Privileges/Data)

Q5Is exploitation threshold high? (Auth/Config)

Q6Is there a public Exp? (PoC/Wild Exploitation)

Q7How to self-check? (Features/Scanning)

Q8Is it fixed officially? (Patch/Mitigation)

Q9What if no patch? (Workaround)

Q10Is it urgent? (Priority Suggestion)

Continue exploring