Plattform
python
Komponente
magic-wormhole
Behoben in
0.21.1
0.23.0
CVE-2026-32116 is a high-severity vulnerability affecting magic-wormhole versions up to 0.22.0. A malicious sender can exploit this flaw to overwrite critical local files on the receiver's system during a file transfer (wormhole receive). This allows the sender to potentially compromise the receiver's computer by modifying files like ~/.ssh/authorized_keys and .bashrc. The vulnerability has been patched in version 0.23.0.
The core impact of CVE-2026-32116 lies in the ability of a malicious actor to overwrite sensitive files on a target system. Specifically, a sender using wormhole send can craft a malicious file that, when received via wormhole receive, will overwrite files like ~/.ssh/authorizedkeys and .bashrc. Compromising ~/.ssh/authorizedkeys allows the attacker to add their public key, granting them passwordless SSH access. Overwriting .bashrc could inject malicious commands that execute upon each shell session. Crucially, this attack is sender-initiated and does not involve transit/relay servers, limiting the attack surface but not eliminating the risk. This vulnerability highlights the importance of verifying the integrity of files received, even from trusted sources.
CVE-2026-32116 was disclosed on March 13, 2026. There is currently no indication of active exploitation in the wild, and it is not listed on the CISA KEV catalog. No public proof-of-concept (PoC) code has been released. The vulnerability's sender-initiated nature and reliance on user interaction may limit its widespread exploitation, but the potential impact warrants prompt remediation.
Users who rely on magic-wormhole for secure file transfer, particularly those using it to transfer sensitive data or manage SSH keys, are at risk. Systems with legacy configurations or those running older versions of Python where upgrading is difficult are also more vulnerable. Shared hosting environments where multiple users share the same system and SSH keys could experience widespread compromise if exploited.
• python / system:
python3 -c 'import magic_wormhole; print(magic_wormhole.__version__)'• python / system: Check for unusual file modifications in ~/.ssh/authorized_keys and .bashrc using git diff or similar version control tools.
• python / system: Monitor process execution for magic_wormhole with unusual command-line arguments.
• python / system: Review system logs for errors or warnings related to file overwrites during wormhole receive operations.
disclosure
Exploit-Status
EPSS
0.08% (25% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-32116 is to upgrade magic-wormhole to version 0.23.0 or later, which contains the fix. If upgrading immediately is not feasible, consider temporarily disabling the wormhole receive functionality or restricting its use to trusted senders only. While a WAF or proxy cannot directly prevent this vulnerability, implementing strict file type validation and content scanning on incoming files could provide an additional layer of defense. There are no specific Sigma or YARA rules available at this time, but monitoring for unexpected file modifications in the ~/.ssh/ and home directories is recommended.
Aktualisieren Sie Magic Wormhole auf Version 0.23.0 oder höher. Dies behebt die Schwachstelle, die es einem bösartigen Absender ermöglicht, lokale Dateien willkürlich zu überschreiben. Sie können mit pip aktualisieren: `pip install --upgrade magic-wormhole`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32116 is a high-severity vulnerability in magic-wormhole versions up to 0.22.0 that allows a malicious sender to overwrite critical local files during a file transfer, potentially compromising the receiver's system.
You are affected if you are using magic-wormhole versions 0.22.0 or earlier. Upgrade to 0.23.0 or later to resolve the issue.
Upgrade magic-wormhole to version 0.23.0 or later. This resolves the file overwrite vulnerability.
There is currently no evidence of active exploitation, but the potential for exploitation exists if a proof-of-concept is released.
Refer to the magic-wormhole project's official release notes and security advisories on their GitHub repository for the most up-to-date information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.