CVE-2026-43625: CodexBar Session Cookie Leakage – Urgent Patch Required
CodexBar versions before 0.32.0 have a vulnerability where session cookies imported from your browser can be intercepted over the network. When CodexBar redirects requests to Amp or Ollama providers, attackers positioned on your network path can capture these cookies if the redirect sends them over unencrypted HTTP. This requires the attacker to be on the network between you and the provider, but the leaked cookies could grant them access to your sessions on those services.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-319
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-43625 is a cleartext transmission vulnerability in CodexBar's session cookie handling for Amp and Ollama provider integrations. The flaw stems from improper redirect validation that allows provider-controlled redirects to steer requests to unencrypted HTTP endpoints within the same provider domain. When imported browser session cookies are included in these requests, they transit in plaintext and become visible to network eavesdroppers. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information) and affects CodexBar prior to version 0.32.0.
Business impact
If your organization uses CodexBar to import and manage sessions for Amp or Ollama providers, session hijacking is a realistic threat on untrusted networks. Compromised sessions could allow attackers to assume your identity on those services, access sensitive resources, or perform unauthorized actions. The business risk depends on what data and capabilities those provider sessions control—if they access internal tools or sensitive integrations, the impact could be substantial. Affected teams should prioritize patching to prevent credential leakage, especially for users operating on shared or public networks.
Affected systems
CodexBar versions prior to 0.32.0 are affected. The vulnerability specifically impacts deployments that use Amp or Ollama provider integrations with imported browser session cookies. Users on network segments where traffic can be eavesdropped—such as public Wi-Fi, VPNs with weak controls, or compromised corporate networks—face the highest risk.
Exploitability
Exploitation requires the attacker to occupy a network position between the victim and the provider (e.g., ARP spoofing, BGP hijacking, compromised router, or rogue Wi-Fi access point). This raises the attack complexity to 'high,' but once positioned, the attack is straightforward: passively capture HTTP traffic containing the session cookies. No user interaction or authentication is required on the attacker's side. The risk is amplified in environments where network eavesdropping is feasible, such as open Wi-Fi or poorly segmented networks.
Remediation
Upgrade CodexBar to version 0.32.0 or later, which addresses the improper redirect handling and session cookie transmission flaws. Verify the upgrade against the vendor's official advisory to confirm patch completeness. As an interim measure, restrict CodexBar use to secure, encrypted network connections and avoid importing sessions on untrusted networks. If provider integrations are not essential, consider disabling Amp and Ollama session imports until patching is complete.
Patch guidance
Update CodexBar to version 0.32.0 or higher. Verify the specific patch version and release notes via the vendor's official release channel. Apply patches to all systems running CodexBar, particularly those handling sensitive provider sessions. Test the updated version in a controlled environment before production deployment to ensure compatibility with your workflow and integrations.
Detection guidance
Monitor for CodexBar instances running versions below 0.32.0 using your asset inventory and software scanning tools. Review network traffic logs for cleartext HTTP requests originating from CodexBar processes to Amp or Ollama providers, which may indicate cookie leakage in progress. Look for unusual session reuse or account access from unfamiliar IP addresses on Amp or Ollama accounts linked to CodexBar. If possible, enable TLS interception (with proper authorization) to detect plaintext cookie transmission attempts.
Why prioritize this
Although the CVSS score is 5.9 (MEDIUM), this vulnerability merits prompt remediation because it enables passive session theft on accessible networks. The risk is highly contextual—organizations using CodexBar on isolated or air-gapped networks face lower exposure, but those on shared or open networks should prioritize patching. The low attack complexity once network access is gained, combined with high confidentiality impact, makes this a practical target for adversaries in transitional network environments.
Risk score, explained
The CVSS 3.1 score of 5.9 reflects a network-based attack with high attack complexity (requiring network positioning), no privileges or user interaction, no system-wide impact, but high confidentiality loss (session cookies). The score appropriately penalizes the requirement for network eavesdropping capability while acknowledging the serious confidentiality risk of session theft. In practice, risk is lower on fully encrypted or air-gapped networks and higher on public or semi-trusted networks.
Frequently asked questions
Does this vulnerability affect CodexBar if I only use local sessions and don't import browser cookies?
No. The vulnerability is specific to imported browser session cookies used for Amp and Ollama provider integrations. If you do not import external session cookies or do not use those providers, you are not affected.
Can an attacker exploit this without being on the same network?
Not directly. The attacker must be positioned on the network path between CodexBar and the provider to eavesdrop on HTTP traffic. This typically requires local network access, ARP spoofing, DNS hijacking, or control of a network device. Remote exploitation is not possible, which is why the attack complexity is rated 'high.'
What should I do if I suspect my session cookies were compromised?
Upgrade CodexBar immediately to 0.32.0 or later. Then, reset passwords and revoke active sessions on any Amp or Ollama accounts that were accessed through CodexBar. Review audit logs on those services for unauthorized activity. Consider rotating any sensitive API keys or tokens associated with those accounts.
Why did CodexBar allow redirects to unencrypted HTTP endpoints in the first place?
This appears to be an overly permissive redirect validation rule that did not enforce HTTPS for provider domains. The vendor has corrected this in 0.32.0 by tightening redirect handling to prevent plaintext transmission of sensitive data.
This analysis is based on the CVE record and vendor information as of the published date. Verify all patch versions and mitigation steps against the official vendor advisory before deployment. The actual risk to your organization depends on your network environment, CodexBar version, and use of Amp/Ollama integrations. This guidance is for informational purposes and does not constitute professional security advice. Always follow your organization's change management and testing procedures before applying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2023-52951MEDIUMSynology Note Station Client Cleartext Credential Transmission Vulnerability
- CVE-2026-10584MEDIUMGraph Explorer HTTPS Fallback to HTTP Vulnerability
- CVE-2026-25599MEDIUMOrca Heat Pump Unauthenticated HTTP and Stored XSS Vulnerability
- CVE-2026-36610MEDIUMMercusys AC12G EU Plaintext DDNS Credential Disclosure
- CVE-2026-34126HIGHTP-Link Tapo Unencrypted Bluetooth Setup Vulnerability – L535E, P300, D100C
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)