Skip to main content

CodexBar CVE-2026-49949

| EUVDEUVD-2026-36302 MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-06-11 VulnCheck GHSA-42m6-xh7c-6xm4
6.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network vector requires MITM redirect injection (AC:H); no attacker privileges needed (PR:N); victim must trigger a request (UI:R); only credentials are exposed (C:H, I:N, A:N).

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 20:26 vuln.today
Analysis Generated
Jun 11, 2026 - 20:26 vuln.today

DescriptionCVE.org

CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared ProviderHTTPClient transport. Attackers can redirect credentialed provider requests carrying browser cookies, bearer tokens, or API keys to an unintended host, port, or plaintext HTTP destination to capture those credentials.

AnalysisAI

Credential interception in CodexBar before 0.33.0 exposes API keys, bearer tokens, and browser cookies to network-adjacent attackers through the shared ProviderHTTPClient transport's failure to validate redirect destinations. When a user initiates a credentialed request to an AI provider backend, an attacker positioned to inject redirect responses can steer the transport to a cross-origin host or a plaintext HTTP endpoint, causing CodexBar to forward the original credentials to the attacker-controlled destination. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain network-adjacent MITM position
Delivery
Intercept AI provider HTTP response in transit
Exploit
Inject cross-origin or HTTP-downgrade redirect
Execution
CodexBar follows redirect forwarding credentials intact
Impact
Attacker captures API keys, bearer tokens, or session cookies

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be network-adjacent and capable of injecting or substituting HTTP redirect responses in the path between CodexBar and the targeted AI provider backend - achievable via ARP poisoning, a rogue access point, or a compromised upstream proxy on the local network segment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 (AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) accurately reflects a meaningful but exploitation-constrained credential theft risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network segment as a CodexBar user - for example, on shared office or café Wi-Fi - establishes a MITM position via ARP spoofing or a rogue access point. When the user triggers a Copilot or Vertex AI request through CodexBar, the attacker intercepts the AI provider's HTTP response and replaces it with a 301/302 redirect pointing to a plaintext HTTP endpoint under the attacker's control. …
Remediation The primary fix is upgrading to CodexBar v0.33.0 or later, which blocks credentialed provider redirects that exit the original HTTPS origin (PR #1237, commit 08c171b6b487654a0eb188494fa24bd1c4272a2e). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy