CVE-2026-32116
Published: 12 March 2026
Summary
CVE-2026-32116 is a high-severity Path Traversal (CWE-22) vulnerability in Magic-Wormhole Project Magic Wormhole. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique SSH Authorized Keys (T1098.004); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation by upgrading Magic Wormhole to 0.23.0 or later directly eliminates the path traversal vulnerability during file receives.
Information input validation enforces proper checking of file paths received via wormhole receive to block traversal to critical files like ~/.ssh/authorized_keys.
Software integrity verification detects unauthorized overwrites of critical files such as .bashrc or authorized_keys resulting from exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct overwrite of ~/.ssh/authorized_keys (T1098.004) and shell config files such as .bashrc (T1546.004) during wormhole receive, providing persistence via SSH keys or malicious shell initialization.
NVD Description
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and…
more
.bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.
Deeper analysisAI
CVE-2026-32116 is a path traversal vulnerability (CWE-22) in Magic Wormhole, a tool for securely transferring arbitrary-sized files and directories between computers. It affects versions from 0.21.0 up to but not including 0.23.0. The issue arises during the "wormhole receive" operation, where a maliciously crafted file transfer can overwrite critical local files on the receiver's system, such as ~/.ssh/authorized_keys and .bashrc. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for integrity and availability impacts.
Exploitation requires the attacker to act as the sender running "wormhole send," targeting a victim who executes "wormhole receive." The sender needs only low privileges (PR:L) and network access to the receiver, with no user interaction required (UI:N). Successful exploitation allows the attacker to overwrite sensitive files, potentially compromising the receiver's computer by injecting unauthorized SSH keys or malicious shell configurations. The wormhole protocol prevents exploitation by transit or relay servers or other third parties.
The GitHub security advisory (GHSA-4g4c-mfqg-pj8r) confirms the vulnerability was fixed in Magic Wormhole version 0.23.0. Security practitioners should advise users to upgrade to 0.23.0 or later to mitigate the issue, and review any prior file transfers from untrusted senders on affected versions.
Details
- CWE(s)