CVE-2026-32116
Arbitrary File Overwrite in Magic Wormhole Allows System Compromise
Publication date: 2026-03-12
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| magic-wormhole_project | magic_wormhole | From 0.21.0 (inc) to 0.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32116 is a high-severity vulnerability in the magic-wormhole package versions 0.21.0 to before 0.23.0. It arises from a flaw in the "wormhole receive" command, where a malicious sender running "wormhole send" can overwrite arbitrary local files on the receiver\'s system.'}, {'type': 'paragraph', 'content': 'This happens because a security check that was supposed to strip directory paths from incoming filenames was accidentally removed in version 0.21.0. Without this check, the receiver writes files to arbitrary paths specified by the sender, including critical files like ~/.ssh/authorized_keys and .bashrc.'}, {'type': 'paragraph', 'content': 'Only the sender can exploit this vulnerability; intermediate parties such as relay servers cannot. Exploitation requires low privileges and active user interaction, meaning the receiver must run "wormhole receive".'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 0.23.0 by restoring the missing security check and adding unit tests to prevent regression.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can severely impact system integrity by allowing a malicious sender to overwrite critical local files on the receiver's computer."}, {'type': 'list_item', 'content': "Overwriting ~/.ssh/authorized_keys could allow unauthorized access to the receiver's system."}, {'type': 'list_item', 'content': "Overwriting .bashrc or other important configuration files could alter the user's environment or execute malicious code."}, {'type': 'paragraph', 'content': 'Such unauthorized modifications can lead to full system compromise.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability occurs when using the "wormhole receive" command in affected versions of magic-wormhole (0.21.0 to before 0.23.0). Detection involves checking if your system is running one of these vulnerable versions and if the "wormhole receive" command has been used to receive files.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation or attempts, you can look for unexpected modifications to critical local files such as ~/.ssh/authorized_keys or .bashrc, which could indicate an overwrite attack.'}, {'type': 'paragraph', 'content': 'A practical command to check the installed version of magic-wormhole is:'}, {'type': 'list_item', 'content': 'wormhole --version'}, {'type': 'paragraph', 'content': 'To check for recent modifications to critical files, you can use commands like:'}, {'type': 'list_item', 'content': 'ls -l ~/.ssh/authorized_keys'}, {'type': 'list_item', 'content': 'ls -l ~/.bashrc'}, {'type': 'paragraph', 'content': 'To see recent changes, you can also use:'}, {'type': 'list_item', 'content': 'stat ~/.ssh/authorized_keys'}, {'type': 'list_item', 'content': 'stat ~/.bashrc'}, {'type': 'paragraph', 'content': 'Monitoring logs or shell history for usage of "wormhole receive" commands may also help detect if the vulnerable command was run.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and recommended mitigation is to upgrade magic-wormhole to version 0.23.0 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, a workaround is to use the "--output" or "-o" option with the "wormhole receive" command to explicitly specify a safe local filename. This prevents the sender from overwriting arbitrary files.'}, {'type': 'list_item', 'content': 'Use the command: wormhole receive -o <safe-filename>'}, {'type': 'paragraph', 'content': 'This forces the received file to be saved under a controlled filename, mitigating the risk of path traversal and arbitrary file overwrite.'}, {'type': 'paragraph', 'content': 'Additionally, monitor critical files for unauthorized changes and restrict usage of the "wormhole receive" command to trusted senders only.'}] [1]