CVE-2026-32116

Name of the Vulnerable Software and Affected Versions Magic Wormhole versions 0.21.0 through 0.22.9

Description Magic Wormhole allows the transfer of files and directories of arbitrary size between computers. A flaw exists where receiving a file (wormhole receive) from a malicious party between versions 0.21.0 and before 0.23.0 could lead to the overwriting of critical local files, including ~/.ssh/authorized keys and .bashrc. This could potentially compromise the receiving computer. The attack can only be initiated by the sender of the file (the party executing wormhole send), and the wormhole protocol excludes other parties like transit/relay servers. The issue stems from a missing receiver-side check during refactoring in version 0.21.0, which was restored in version 0.23.0. The filename received in a file transfer request is used to determine the file's write location. Legitimate senders compute this from the base name of the sent file, but a missing check in earlier versions allowed malicious senders to control the filename and potentially overwrite critical system files.

Recommendations Versions prior to 0.23.0 should be upgraded to version 0.23.0 or later. As a temporary workaround, use the --output or -o option with wormhole receive to override the sender's filename. For example: wormhole receive -o shopping-list.txt will write the file to shopping-list.txt regardless of the sender's intent. This option must be used with every invocation of wormhole receive / wormhole rx to be effective.