CVE-2026-32116 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 16, 2026
Magic Wormhole - Broken Access Control
Published: March 12, 2026Updated: March 16, 2026Remote Exploitable
Overview
Magic Wormhole 0.21.0 to < 0.23.0 contains a file overwrite vulnerability caused by receiving files from a malicious sender, letting the sender overwrite critical local files, exploit requires sender to run wormhole send.
Severity & Score
Severity: High
CVSS Score: 8.1
EPSS Score: 8.4%(Probability of exploitation in next 30 days)
Impact
Malicious senders can overwrite critical local files, potentially compromising the receiver's computer.
Mitigation
Update to version 0.23.0 or later.
Social Media Activity(1 post)
magic wormhole
@magicwormhole
This month's exciting release fixes our first official[1] CVE for magic wormhole! To improve your local machine's safety, please upgrade to magic wormhole 0.23.0 https://pypi.org/project/magic-wormhole/ [1] https://nvd.nist.gov/vuln/detail/CVE-2026-32116
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32116
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- confirmed
- EPSS
- 8.4%
- Social Posts
- 1
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score
8.4%Probability of exploitation in the next 30 days