CVE-2026-32116: Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite

March 13, 2026

What kind of vulnerability is it? Who is impacted?

Receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver’s computer.

Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol.

References

github.com/advisories/GHSA-4g4c-mfqg-pj8r
github.com/magic-wormhole/magic-wormhole
github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r
nvd.nist.gov/vuln/detail/CVE-2026-32116

Code Behaviors & Features

Detect and mitigate CVE-2026-32116 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →