Path Traversal in Magic Wormhole Affecting File Transfer Operations
CVE-2026-42448

3.5LOW

Key Information:

Vendor: Magic-wormhole
Status: Magic-wormhole
Vendor: CVE Published:; 26 May 2026

🔔 Create Magic-wormhole Vulnerability Alert

What is CVE-2026-42448?

A path traversal vulnerability exists in Magic Wormhole that allows an attacker to access arbitrary files and directories on the target system. This issue arises when a user specifies the '--output ' option, where the output directory is already present as a directory. With versions prior to 0.24.0, this flaw can be exploited, leading to unauthorized file retrieval. Users are advised to upgrade to version 0.24.0 or later to mitigate this risk.

Affected Version(s)

magic-wormhole < 0.24.0

References

https://github.com/magic-wormhole/magic-wormhole/security...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42448 Data

JSON