CVE-2026-32116

Source
https://cve.org/CVERecord?id=CVE-2026-32116
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32116.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32116
Aliases
Downstream
Published
2026-03-12T17:40:49.791Z
Modified
2026-04-10T05:42:54.887423Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N CVSS Calculator
Summary
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite
Details

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.

Database specific
{
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32116.json"
}
References

Affected packages

Git / github.com/magic-wormhole/magic-wormhole

Affected ranges

Type
GIT
Repo
https://github.com/magic-wormhole/magic-wormhole
Events

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32116.json"