GHSA-2679-6MX9-H9XC: GHSA-2679-6MX9-H9XC: Unauthenticated Remote Code Execution in marimo Terminal WebSocket

GHSA-2679-6MX9-H9XC: Unauthenticated Remote Code Execution in marimo Terminal WebSocket

Vulnerability ID: GHSA-2679-6MX9-H9XC
CVSS Score: 9.5
Published: 2026-04-08

An authentication bypass vulnerability in the marimo interactive Python notebook environment allows unauthenticated remote attackers to obtain interactive pseudo-terminal (PTY) shell access. The flaw resides in the terminal WebSocket endpoint, which fails to enforce required authentication checks, leading to critical remote code execution capabilities on the host system.

TL;DR

The marimo notebook environment prior to version 0.23.0 exposes an unauthenticated terminal WebSocket endpoint (/terminal/ws). Attackers can connect to this endpoint to spawn a PTY shell, executing arbitrary commands with the privileges of the marimo server process.

---

⚠️ Exploit Status: POC

Technical Details

• Bug Class: Improper Authorization (CWE-306)
• Attack Vector: Network (WebSocket)
• Authentication Required: None
• Impact: Remote Code Execution (RCE)
• CVSS v3.1 Score: 9.5 (Critical)
• Exploit Maturity: Proof of Concept Available

Affected Systems

• marimo notebook server
• Python environments utilizing marimo < 0.23.0
• marimo: < 0.23.0 (Fixed in: 0.23.0)

Code Analysis

Commit: c24d480

Added validate_auth() check to terminal websocket endpoint

@@ -5,6 +5,10 @@
 @router.websocket("/ws")
 async def websocket_endpoint(websocket: WebSocket) -> None:
+    if not validate_auth(websocket):
+        await websocket.close(code=3000, reason="MARIMO_UNAUTHORIZED")
+        return
+
     app_state = AppState(websocket)
     if app_state.mode != SessionMode.EDIT:
         await websocket.close(code=1008, reason="Terminal only available in edit mode")
         return

Exploit Details

• PulsePatch Technical Analysis: Proof of concept mechanics involving websocket framing directed at the terminal endpoint.

Mitigation Strategies

• Upgrade the marimo package to version 0.23.0
• Bind marimo service exclusively to local interfaces (127.0.0.1)
• Utilize VPNs or SSH tunnels for remote developer access
• Implement strong network boundary controls dropping unexpected external traffic to port 2718

Remediation Steps:

1. Identify all systems and containers running the marimo package.
2. Execute pip install --upgrade marimo on affected hosts.
3. Verify the installed version using marimo --version to ensure it is 0.23.0 or greater.
4. Restart the marimo server process to apply the updated endpoint handlers.
5. Review network firewall configurations to prevent direct internet exposure of the marimo ports.

References

• GitHub Security Advisory: GHSA-2679-6MX9-H9XC
• Fix Pull Request
• Fix Commit
• Technical Analysis (PulsePatch)
• PyPI Package Release 0.23.0

---

Read the full report for GHSA-2679-6MX9-H9XC on our website for more details including interactive diagrams and full exploit analysis.