Description
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.
Published: 2026-03-12
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Overwrite leading to potential compromise of user account
Action: Patch Now
AI Analysis

Impact

Magic Wormhole allows the sender to transmit files to the receiver. From versions 0.21.0 through before 0.23.0, the receive operation did not guard against overwriting existing local files; the receiver could overwrite sensitive files such as ~/.ssh/authorized_keys and .bashrc, effectively modifying the user’s environment and authentication configuration. This introduces a Local File Overwrite weakness (CWE‑22) and creates the possibility for an attacker to gain unauthorized access or execute arbitrary code on the victim’s machine.

Affected Systems

The vulnerability affects the magic‑wormhole project, specifically versions 0.21.0 up to but not including 0.23.0. Any instance running these versions that accepts a receive operation from an untrusted sender is impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 8.2, indicating high severity. The EPSS score is less than 1%, suggesting low current exploitation probability, and it is not listed in the CISA KEV catalog. Attack requires the sender to run wormhole send and the receiver to execute wormhole receive; the attacker must have local access to a device that will accept the file, but once performed, a malicious file can replace critical configuration files. The fix is to upgrade to 0.23.0 or later, which removes the vulnerability.

Generated by OpenCVE AI on March 17, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade magic-wormhole to version 0.23.0 or newer.

Generated by OpenCVE AI on March 17, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4g4c-mfqg-pj8r Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite
History

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Magic-wormhole Project
Magic-wormhole Project magic Wormhole
CPEs cpe:2.3:a:magic-wormhole_project:magic_wormhole:*:*:*:*:*:python:*:*
Vendors & Products Magic-wormhole Project
Magic-wormhole Project magic Wormhole
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Magic-wormhole
Magic-wormhole magic-wormhole
Vendors & Products Magic-wormhole
Magic-wormhole magic-wormhole

Thu, 12 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.
Title Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Magic-wormhole Magic-wormhole
Magic-wormhole Project Magic Wormhole
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:24:27.152Z

Reserved: 2026-03-10T22:02:38.855Z

Link: CVE-2026-32116

cve-icon Vulnrichment

Updated: 2026-03-13T16:24:24.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T18:16:24.930

Modified: 2026-03-16T18:02:21.613

Link: CVE-2026-32116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:42Z

Weaknesses