CVE-2026-49135

Sažetak

CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.

Reference

https://github.com/steipete/CodexBar/commit/e7d932616508cee43ea9bcc63c269b14698de655
https://github.com/steipete/CodexBar/pull/1228
https://github.com/steipete/CodexBar/releases/tag/v0.32.0
https://www.vulncheck.com/advisories/codexbar-insecure-temporary-file-handling-in-notarization-workflow
https://github.com/steipete/CodexBar/pull/1228

CVSS

Base:	7.1
Impact:	5.2
Exploitability:	1.8

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Zadnje važnije ažuriranje

02-06-2026 - 14:43

Objavljeno

01-06-2026 - 21:16