Skip to main content

CodexBar CVE-2026-49135

| EUVDEUVD-2026-33751 HIGH
Insecure Temporary File (CWE-377)
2026-06-01 VulnCheck GHSA-8v4r-w49g-jc9w
7.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 01, 2026 - 21:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 01, 2026 - 21:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 01, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 01, 2026 - 21:22 NVD
7.1 (HIGH) 7.2 (HIGH)
Source Code Evidence Fetched
Jun 01, 2026 - 20:51 vuln.today
Analysis Generated
Jun 01, 2026 - 20:51 vuln.today

DescriptionCVE.org

CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.

AnalysisAI

Local privilege-level information disclosure and artifact tampering in CodexBar versions prior to 0.32.0 allows authenticated users on the same macOS host to read App Store Connect API keys and hijack release builds via predictable temporary file paths in the notarization workflow. The flaw stems from writing sensitive credentials and notarization archives to fixed, world-reachable locations rather than per-run private directories, enabling symlink races and pre-creation attacks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local account on build host
Delivery
Predict /tmp notarization paths
Exploit
Pre-create symlink or poll for key file
Install
Workflow writes API key and ZIP to predictable path
C2
Read App Store Connect key or redirect archive write
Execute
Substitute tampered notarization archive
Impact
Abuse stolen key or ship trojanized signed build

Vulnerability AssessmentAI

Exploitation Attacker must already have an interactive local account or code-execution foothold on the same macOS host where CodexBar's release notarization workflow runs (CVSS AV:L, PR:L), and must be able to observe or write to the fixed shared /tmp paths used for the App Store Connect API key file and the notarization upload ZIP before or during a release run - the AT:P bit in the CVSS 4.0 vector reflects this timing/pre-creation requirement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N reflects a local, low-complexity attack requiring some attack precondition (AT:P - racing or pre-creating the predictable path) and low privileges, with high confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a shared macOS build host, an unprivileged local user enumerates the well-known /tmp path used by CodexBar's notarization workflow and either reads the App Store Connect API key file the moment it is written or pre-creates a symlink so the workflow's ZIP write is redirected to an attacker-controlled location, where the attacker swaps in a malicious notarization archive. The attacker then either reuses the stolen Apple API key to sign their own artifacts or lets CodexBar submit the tampered archive to Apple under the legitimate developer identity.
Remediation Vendor-released patch: upgrade CodexBar to 0.32.0 or later, which isolates notarization API keys and upload ZIPs in a private per-run temporary directory rather than predictable shared /tmp paths (see https://github.com/steipete/CodexBar/releases/tag/v0.32.0 and commit https://github.com/steipete/CodexBar/commit/e7d932616508cee43ea9bcc63c269b14698de655). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and isolate systems running CodexBar versions prior to 0.32.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy