CVE-2026-49134: CodexBar Privilege Escalation in CLI Installer (Race Condition)
CodexBar versions before 0.32.0 contain a local privilege escalation flaw in the CLI installer. An attacker with access to the same system can intercept and modify the installer's temporary files during the installation process, tricking the system into running malicious commands with root-level privileges. This requires the attacker to be on the same machine and to time their interference with an active installation, but once successful, grants complete system control.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-377
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a privileged shell payload into it, and executes it with administrator privileges via bash, allowing a same-user local process to rewrite the installer body before the administrator prompt is approved, causing attacker-controlled commands to run as root.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in CodexBar's installer logic, which uses mktemp to create temporary files and subsequently writes a privileged shell payload into them before executing via bash with elevated privileges. An attacker capable of monitoring or writing to the temporary filesystem can exploit a race condition between file creation and payload execution. By rewriting the installer body before the administrator approval prompt is processed, the attacker forces the bash execution context to run attacker-controlled commands as root. This is a classic TOCTOU (time-of-check-time-of-use) issue in file handling during privileged operations.
Business impact
Successful exploitation results in complete compromise of affected systems. An attacker gaining root access can install backdoors, exfiltrate sensitive data, modify or delete critical files, or establish persistence. Organizations running CodexBar installers in shared or multi-tenant environments face heightened risk. The impact extends beyond the CodexBar application itself—root access enables lateral movement and compromise of dependent services and data.
Affected systems
CodexBar prior to version 0.32.0 is affected. The vulnerability is triggered during the CLI installer execution, so exposure is limited to systems on which the installer is actively running or has been recently executed. Systems with CodexBar already installed and not running the installer are not directly vulnerable to this specific flaw, though best practice is to upgrade to 0.32.0 or later.
Exploitability
Exploitation requires local system access and the ability to observe or modify temporary files, placing it in the 'local' attack vector category. An attacker must also have timing precision to interfere with the installer before the administrator approval prompt is satisfied. While the bar to exploitation is non-trivial, it is achievable by a determined attacker on shared systems, containers, or systems with weak file permission controls on /tmp or equivalent temporary directories. The race condition window may be narrow but reliable.
Remediation
Upgrade CodexBar to version 0.32.0 or later. If immediate upgrade is not feasible, restrict access to temporary file directories (/tmp, /var/tmp) via file system permissions or mounting with noexec flags. Limit installer execution to isolated environments or single-user machines where feasible. Avoid running the installer on shared multi-user systems or in untrusted container environments until patched.
Patch guidance
Verify that CodexBar is updated to 0.32.0 or later by checking the installed version (typically available via 'codexbar --version' or equivalent). Consult the official CodexBar release notes to confirm patch availability and any deployment considerations. Test the patched version in a non-production environment before broad rollout. If CodexBar is deployed via package management systems, ensure the repository index is refreshed and the latest version is installed.
Detection guidance
Monitor execution of mktemp and subsequent bash invocations in the /tmp directory during CodexBar installer execution. Audit file modification events on temporary files immediately after their creation. Look for suspicious process spawning from temporary directories, particularly any commands executed as root originating from /tmp or /var/tmp. Enable enhanced logging on installer execution (if available) and correlate with system call tracing tools like auditd or strace. Detect multiple rapid file operations in temporary directories during installer runs as a potential race condition exploitation attempt.
Why prioritize this
This vulnerability scores HIGH (CVSS 7.1) due to the combination of high confidentiality, integrity, and availability impact from root-level code execution, balanced against the requirement for local access and user interaction (administrator approval). Organizations should prioritize this for systems where CodexBar installers are regularly executed or where shared system access is common. However, it is not a network-exploitable flaw and does not appear in active exploitation databases (KEV), allowing time for orderly patching.
Risk score, explained
The CVSS 3.1 score of 7.1 (HIGH) reflects: network attack vector of 'Adjacent' (local), attack complexity 'High' due to race condition timing and file system conditions, privilege escalation from local user to root (high impact), and lack of user interaction beyond approval of the installation itself. The score appropriately captures a serious local flaw that is not trivially exploitable but is critical when successful. Organizations with strict change control over installation processes may score this lower in their own risk model.
Frequently asked questions
Does this vulnerability affect CodexBar if it is already installed and running?
No. The vulnerability is specific to the CLI installer process. Once CodexBar 0.32.0 or later is installed, this particular flaw does not apply to the running application. However, if you reinstall or update CodexBar, ensure you are using the patched installer.
Can this be exploited remotely or over the network?
No. This is a local privilege escalation vulnerability. The attacker must have direct access to the system and be able to monitor or modify files in the temporary directory. Network-based attacks against CodexBar are outside the scope of this CVE.
Is this vulnerability currently being actively exploited in the wild?
The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date, indicating no widespread active exploitation has been reported. However, the simplicity of the underlying race condition means exploit code could be developed relatively easily, so proactive patching is recommended.
What is the remediation if we cannot patch immediately?
Restrict permissions on temporary directories (/tmp, /var/tmp) to prevent unauthorized write access, or mount them with noexec flags to prevent execution. Run installers in isolated environments or single-user contexts. Apply file system controls and process isolation to minimize attack surface. Plan an expedited patch window as soon as feasible.
This analysis is provided for informational purposes to support vulnerability management and security decision-making. SEC.co does not provide legal, warranty, or liability guarantees. Organizations should validate all technical details against official vendor advisories and test patches in controlled environments before production deployment. CVSS scores and severity ratings reflect baseline industry standards and may require adjustment based on organizational context, asset criticality, and threat landscape. No exploit code or weaponized proof-of-concept is provided or implied by this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-49135HIGHCodexBar Insecure Temporary File Handling Allows Local Credential Theft
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1