CVE-2026-32116 Overview
CVE-2026-32116 is a Path Traversal vulnerability affecting Magic Wormhole, a popular file transfer utility designed to securely move arbitrary-sized files and directories between computers. This vulnerability allows a malicious sender to craft file transfers that can overwrite critical local files on the receiver's system, including sensitive configuration files such as ~/.ssh/authorized_keys and .bashrc.
Critical Impact
A malicious party running wormhole send can exploit this vulnerability to overwrite critical system files on the receiver's computer, potentially leading to full system compromise through unauthorized SSH access or arbitrary command execution via shell initialization scripts.
Affected Products
- Magic Wormhole versions 0.21.0 to before 0.23.0
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-32116 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32116
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), which occurs when the application fails to properly sanitize user-supplied input before using it in file path operations. In the context of Magic Wormhole, when a receiver executes wormhole receive, the application processes filenames sent by the remote party without adequate validation of path components.
The vulnerability enables an attacker who initiates a file transfer (the sender) to include directory traversal sequences in the filename. When the receiver accepts the transfer, the malicious filename causes files to be written outside the intended download directory, potentially overwriting sensitive system files.
Key characteristics of this vulnerability include:
- Network-based attack vector requiring user interaction from the receiver
- Limited to sender-initiated attacks; relay servers and other parties cannot exploit this flaw
- Can result in complete compromise of the receiver's system through file overwrites
Root Cause
The root cause is improper input validation in the file receiving mechanism of Magic Wormhole versions 0.21.0 through 0.22.x. The application fails to adequately sanitize or reject filenames containing path traversal sequences (such as ../) when processing incoming file transfers. This allows attackers to escape the intended destination directory and write files to arbitrary locations on the filesystem with the permissions of the user running the wormhole receive command.
Attack Vector
The attack is network-based and requires the following conditions:
- The attacker must be the sender in a Magic Wormhole file transfer session
- The victim must initiate a receive operation (wormhole receive) and accept the transfer
- The attacker crafts malicious filenames containing path traversal sequences pointing to sensitive files
The attack specifically targets critical configuration files. Overwriting ~/.ssh/authorized_keys allows the attacker to inject their own SSH public key, granting persistent remote access. Overwriting .bashrc or similar shell initialization files enables arbitrary command execution the next time the victim opens a terminal session.
The vulnerability exploits the trust relationship inherent in the wormhole protocol, where receivers implicitly trust that the sender's filenames are benign. Since the wormhole protocol excludes relay servers from tampering with content, only a malicious sender can execute this attack.
Detection Methods for CVE-2026-32116
Indicators of Compromise
- Unexpected modifications to ~/.ssh/authorized_keys with unfamiliar SSH public keys
- Changes to shell initialization files (.bashrc, .bash_profile, .zshrc) containing suspicious commands
- File modification timestamps on critical dotfiles that don't correspond to user activity
- Presence of unfamiliar SSH connections or authorized keys in user home directories
Detection Strategies
- Monitor file integrity of critical user configuration files using file integrity monitoring (FIM) tools
- Alert on modifications to ~/.ssh/authorized_keys files outside of expected administrative processes
- Implement endpoint detection rules for path traversal patterns in file operations
- Review Magic Wormhole application logs for unusual filenames containing ../ sequences
Monitoring Recommendations
- Deploy SentinelOne Singularity Platform for real-time detection of suspicious file operations targeting user configuration files
- Enable audit logging for file writes to sensitive directories including ~/.ssh/ and user home directories
- Configure alerts for any process writing to shell initialization files outside of normal user activity
- Monitor for new SSH key additions across endpoints in your environment
How to Mitigate CVE-2026-32116
Immediate Actions Required
- Upgrade Magic Wormhole to version 0.23.0 or later immediately
- Audit ~/.ssh/authorized_keys files on systems where Magic Wormhole was used to receive files
- Review shell initialization files (.bashrc, .bash_profile, .zshrc) for unauthorized modifications
- Consider temporarily disabling or restricting Magic Wormhole usage until patching is complete
Patch Information
This vulnerability is fixed in Magic Wormhole version 0.23.0. Organizations should update to this version or later as soon as possible. The patch addresses the path traversal vulnerability by implementing proper filename sanitization that prevents directory traversal sequences from being used to write files outside the intended destination directory.
For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Avoid using wormhole receive to accept files from untrusted or unknown parties until patched
- Use alternative secure file transfer methods for receiving files from unverified sources
- Implement strict file system permissions to protect critical configuration files from overwrites
- Run Magic Wormhole in a sandboxed or containerized environment with limited write access to the host filesystem
# Verify Magic Wormhole version and upgrade
pip show magic-wormhole | grep Version
pip install --upgrade magic-wormhole>=0.23.0
# Audit SSH authorized_keys for unexpected entries
cat ~/.ssh/authorized_keys
# Review and remove any unauthorized public keys
# Check shell initialization files for suspicious content
grep -E "(curl|wget|bash|eval|exec)" ~/.bashrc ~/.bash_profile ~/.zshrc 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
