CVE-2026-32116
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.
| CWE | CWE-22 |
| Vendor | magic-wormhole |
| Product | magic-wormhole |
| Published | Mar 12, 2026 |
| Last Updated | Mar 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for magic-wormhole magic-wormhole
Be the first to know when new unknown vulnerabilities affecting magic-wormhole magic-wormhole are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
magic-wormhole / magic-wormhole
>= 0.21.0, < 0.23.0