Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.
AnalysisAI
Local privilege-level information disclosure and artifact tampering in CodexBar versions prior to 0.32.0 allows authenticated users on the same macOS host to read App Store Connect API keys and hijack release builds via predictable temporary file paths in the notarization workflow. The flaw stems from writing sensitive credentials and notarization archives to fixed, world-reachable locations rather than per-run private directories, enabling symlink races and pre-creation attacks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must already have an interactive local account or code-execution foothold on the same macOS host where CodexBar's release notarization workflow runs (CVSS AV:L, PR:L), and must be able to observe or write to the fixed shared /tmp paths used for the App Store Connect API key file and the notarization upload ZIP before or during a release run - the AT:P bit in the CVSS 4.0 vector reflects this timing/pre-creation requirement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N reflects a local, low-complexity attack requiring some attack precondition (AT:P - racing or pre-creating the predictable path) and low privileges, with high confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a shared macOS build host, an unprivileged local user enumerates the well-known /tmp path used by CodexBar's notarization workflow and either reads the App Store Connect API key file the moment it is written or pre-creates a symlink so the workflow's ZIP write is redirected to an attacker-controlled location, where the attacker swaps in a malicious notarization archive. The attacker then either reuses the stolen Apple API key to sign their own artifacts or lets CodexBar submit the tampered archive to Apple under the legitimate developer identity. |
| Remediation | Vendor-released patch: upgrade CodexBar to 0.32.0 or later, which isolates notarization API keys and upload ZIPs in a private per-run temporary directory rather than predictable shared /tmp paths (see https://github.com/steipete/CodexBar/releases/tag/v0.32.0 and commit https://github.com/steipete/CodexBar/commit/e7d932616508cee43ea9bcc63c269b14698de655). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and isolate systems running CodexBar versions prior to 0.32.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cleartext session cookie exposure in CodexBar (a macOS menu bar AI provider client) prior to 0.32.0 allows network-posit
Local privilege escalation in CodexBar prior to 0.32.0 allows a same-user attacker to execute arbitrary commands as root
Credential interception in CodexBar before 0.33.0 exposes API keys, bearer tokens, and browser cookies to network-adjace
Same weakness CWE-377 – Insecure Temporary File
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33751
GHSA-8v4r-w49g-jc9w