Platform
python
Component
magic-wormhole
Fixed in
0.21.1
0.23.0
CVE-2026-32116 is a high-severity vulnerability affecting magic-wormhole versions up to 0.22.0. A malicious sender can exploit this flaw to overwrite critical local files on the receiver's system during a file transfer (wormhole receive). This allows the sender to potentially compromise the receiver's computer by modifying files like ~/.ssh/authorized_keys and .bashrc. The vulnerability has been patched in version 0.23.0.
The primary impact of CVE-2026-32116 lies in the potential for unauthorized file overwrites. An attacker, acting as the sender in a magic-wormhole transfer, can craft a malicious file that, when received, will overwrite existing files on the target system. The most concerning scenario involves overwriting the ~/.ssh/authorized_keys file, which controls SSH key-based authentication. By replacing this file with a malicious version, the attacker can gain unauthorized SSH access to the compromised system. Furthermore, overwriting .bashrc could lead to persistent command execution or the injection of malicious scripts upon each login. The attack is limited to the sender; relay servers and other parties involved in the wormhole transfer are not directly affected by this vulnerability due to the protocol's design.
CVE-2026-32116 was publicly disclosed on 2026-03-13. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but given the potential for remote code execution via SSH key compromise, a medium to high probability of exploitation is possible if a PoC is released.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
The definitive mitigation for CVE-2026-32116 is to upgrade magic-wormhole to version 0.23.0 or later, which includes the fix. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective (as the vulnerability is in file handling), carefully scrutinize any files received via magic-wormhole and verify their integrity before use. Additionally, restrict the use of magic-wormhole to trusted senders only. After upgrading, confirm the fix by attempting a file transfer with a known safe sender and verifying that no unexpected file modifications occur.
Upgrade Magic Wormhole to version 0.23.0 or higher. This will fix the vulnerability that allows a malicious sender to overwrite local files. You can update using pip: `pip install --upgrade magic-wormhole`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32116 is a high-severity vulnerability in magic-wormhole versions up to 0.22.0 that allows a malicious sender to overwrite critical local files during a file transfer, potentially compromising the receiver's system.
You are affected if you are using magic-wormhole versions 0.22.0 or earlier. Upgrade to 0.23.0 or later to resolve the issue.
Upgrade magic-wormhole to version 0.23.0 or later. This resolves the file overwrite vulnerability.
There is currently no evidence of active exploitation, but the potential for exploitation exists if a proof-of-concept is released.
Refer to the magic-wormhole project's official release notes and security advisories on their GitHub repository for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.