CVE-2026-32116

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32116
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:magic-wormhole_project:magic_wormhole:*:*:*:*:*:python:*:*
History

16 Mar 2026, 18:02

Type Values Removed Values Added
First Time Magic-wormhole Project magic Wormhole
Magic-wormhole Project
CPE cpe:2.3:a:magic-wormhole_project:magic_wormhole:*:*:*:*:*:python:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
Summary
  • (es) Magic Wormhole permite obtener archivos y directorios de tamaño arbitrario de un ordenador a otro. Desde la versión 0.21.0 hasta antes de la 0.23.0, recibir un archivo (wormhole receive) de un actor malicioso podría resultar en la sobrescritura de archivos locales críticos, incluyendo ~/.ssh/authorized_keys y .bashrc. Esto podría utilizarse para comprometer el ordenador del receptor. Solo el remitente del archivo (el actor que ejecuta wormhole send) puede llevar a cabo el ataque. Otras partes (incluyendo los servidores de tránsito/retransmisión) quedan excluidas por el protocolo wormhole. Esta vulnerabilidad está corregida en la versión 0.23.0.
References () https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r - () https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r - Mitigation, Vendor Advisory

12 Mar 2026, 18:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-12 18:16

Updated : 2026-03-16 18:02

NVD link : CVE-2026-32116

Mitre link : CVE-2026-32116

CVE.ORG link : CVE-2026-32116

JSON object : View

Products Affected

magic-wormhole_project

  • magic_wormhole
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')