Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a privileged shell payload into it, and executes it with administrator privileges via bash, allowing a same-user local process to rewrite the installer body before the administrator prompt is approved, causing attacker-controlled commands to run as root.
AnalysisAI
Local privilege escalation in CodexBar prior to 0.32.0 allows a same-user attacker to execute arbitrary commands as root by winning a TOCTOU race against the CLI installer's temporary file. The installer writes a privileged shell payload via mktemp and invokes it through bash under an administrator prompt, leaving a window in which the file body can be swapped before approval. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to already have local code execution as the same user account that runs the CodexBar CLI installer on macOS, and requires that user to actively initiate the install/upgrade and approve the macOS administrator authorization prompt (UI:P in CVSS) - a passing race window between mktemp script creation and bash-as-root execution must be won (AC:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has unprivileged code execution as the target user on macOS (for example via a malicious helper, dropped LaunchAgent, or earlier phishing payload) monitors for the CodexBar CLI installer to create its mktemp script. When the user triggers the install and the macOS authorization prompt appears, the attacker's process overwrites the temporary script body with arbitrary commands; once the user approves, bash executes the attacker's payload as root. … |
| Remediation | Vendor-released patch: CodexBar 0.32.0 - upgrade immediately via the GitHub release at https://github.com/steipete/CodexBar/releases/tag/v0.32.0 (the relevant changelog entry reads 'CLI: avoid executing a same-user mutable temporary installer script across the macOS administrator privilege boundary'). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running CodexBar and identify installations prior to version 0.32.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cleartext session cookie exposure in CodexBar (a macOS menu bar AI provider client) prior to 0.32.0 allows network-posit
Local privilege-level information disclosure and artifact tampering in CodexBar versions prior to 0.32.0 allows authenti
Credential interception in CodexBar before 0.33.0 exposes API keys, bearer tokens, and browser cookies to network-adjace
Same weakness CWE-377 – Insecure Temporary File
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33750
GHSA-gg57-wg6f-c8vg