Changeflow GovPing Data Privacy & Cybersecurity Marimo Pre-Auth RCE Vulnerability CVE-2026-3998...
Routine Notice Added Final

Marimo Pre-Auth RCE Vulnerability CVE-2026-39987 Added to KEV

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published
Detected
Email

Summary

CISA added CVE-2026-39987 to the Known Exploited Vulnerabilities catalog on 2026-04-23. The vulnerability is a pre-authentication remote code execution flaw in marimo (a reactive Python notebook), with a CVSS 4.0 score of 9.3 (CRITICAL) and active exploitation confirmed per SSVC. Organizations running marimo versions before 0.23.0 should update immediately given the KEV status and confirmed active exploitation.

“The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.”

CISA , verbatim from source
Published by CISA on cve.org . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors CISA Known Exploited Vulnerabilities (KEV) for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 37 changes logged to date.

View original document View source feed page

What changed

CISA added CVE-2026-39987 to its Known Exploited Vulnerabilities (KEV) catalog. The entry documents a pre-authentication remote code execution vulnerability in the /terminal/ws WebSocket endpoint of marimo (a reactive Python notebook), affecting versions before 0.23.0. The CVSS 4.0 score is 9.3 (CRITICAL) and SSVC assessment confirms active exploitation with total technical impact.

Organizations running marimo should immediately identify affected instances and update to version 0.23.0 or later. Federal agencies face binding remediation requirements under existing CISA directives for KEV catalog entries.

Archived snapshot

Apr 24, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Required CVE Record Information

CNA: GitHub (maintainer security advisories)

Updated:

2026-04-09

Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

CWE 1 Total

Learn more
- CWE-306: CWE-306: Missing Authentication for Critical Function

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.3 | CRITICAL | 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected at < 0.23.0

References 3 Total

Authorized Data Publishers

Learn more

CISA-ADP

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-04-23 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-39987 (2026-04-23)

Mentioned entities

Cybersecurity and Infrastructure Security Agency

Parties

marimo-team

Related changes

Favicon for www.cisa.gov CISA Adds Marimo CVE-2026-39987 to KEV Catalog
Priority review Apr 24, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Microsoft Defender CVE-2026-33825 Local Privilege Escalation
Priority review Apr 23, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Microsoft Defender CVE-2026-33825 to Known Exploited Vulnerabilities Catalog
Priority review Apr 23, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 23rd, 2026
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Minor
Document ID
CVE-2026-39987

Who this affects

Applies to
Technology companies Manufacturers
Industry sector
5112 Software & Technology
Activity scope
Vulnerability disclosure Security patching
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Intellectual Property

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 522 Consumer Protection 148 Courts & Legal 646 Data Privacy & Cybersecurity 159 Defense & National Security 53 Education 64 Energy 141 Environment 175 Gaming 2 Government & Legislation 538 Healthcare 15 Healthcare & Life Sciences 413 Immigration 11 Insurance 92 Labor & Employment 199 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 176 Tax 124 Telecom & Technology 58 Trade & Sanctions 171 Transportation 134

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!