CVE-2026-32116 | THREATINT

Description

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-12 | Updated 2026-03-13 | Assigner GitHub_M

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

>= 0.21.0, < 0.23.0

affected

References

github.com/...rmhole/security/advisories/GHSA-4g4c-mfqg-pj8r

cve.org (CVE-2026-32116)

nvd.nist.gov (CVE-2026-32116)

Download JSON