Main Vulnerability Database Vulnerabilities #VU126466

Unintended Proxy or Intermediary in Marimo - #VU126466

Published: April 17, 2026

Vulnerability identifier: #VU126466

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-441

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Marimo

Affected software:
Marimo

Detailed vulnerability description

The vulnerability allows a remote attacker to access internal services on the local machine.

The vulnerability exists due to proxying without authentication in the /mpl/{port}/ endpoint when handling unauthenticated requests to arbitrary local ports. A remote attacker can send crafted requests to the proxy endpoint to access internal services on the local machine.

The endpoint is exposed without authentication on default installations and can proxy traffic to services speaking web sockets, HTTP, or ASGI on the local machine.

Remediation

Install security update from vendor's website.

Sources

https://github.com/marimo-team/marimo/security/advisories/GHSA-xjv7-6w92-42r7

Unintended Proxy or Intermediary in Marimo - #VU126466

Detailed vulnerability description

Remediation

Sources

Please verify you're human