CVE-2026-49135: CodexBar Insecure Temporary File Handling Allows Local Credential Theft
CodexBar versions before 0.32.0 have a serious flaw in how they handle temporary files during the app release and notarization process. An attacker with access to the same machine can steal the App Store Connect API credentials or sabotage the build artifacts before they're submitted to Apple. The vulnerability exists because CodexBar writes sensitive files to predictable, fixed locations that any local user can read or manipulate.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-377, CWE-59
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49135 is an insecure temporary file handling vulnerability stemming from predictable file path generation in CodexBar's release notarization workflow. The vulnerability manifests through three attack vectors: (1) direct read access to App Store Connect API keys written to fixed paths, (2) time-of-check-time-of-use (TOCTOU) race conditions enabling symbolic link attacks and file pre-creation at predictable locations, and (3) tampering with notarization archives prior to submission to Apple's services. The root causes map to CWE-377 (Insecure Temporary File) and CWE-59 (Improper Link Resolution Before File Access), both stemming from inadequate entropy in temporary file naming and insufficient validation of file ownership and permissions.
Business impact
Compromise of App Store Connect credentials could allow attackers to publish malicious app updates, access analytics and user data, or revoke legitimate apps. Tampering with notarization archives before Apple submission can result in unsigned or maliciously modified applications reaching end users. For development teams and CI/CD operators, this represents a supply chain risk: attackers on shared build infrastructure can inject malware into release artifacts or exfiltrate signing credentials. Organizations using CodexBar for macOS or iOS release workflows face potential app store account takeover and reputational damage.
Affected systems
CodexBar versions prior to 0.32.0 are affected. The vulnerability affects any deployment where CodexBar is used for macOS or iOS application notarization and release workflows, particularly in multi-user or containerized build environments where multiple local users or processes have access to the same filesystem.
Exploitability
Exploitability is moderate to high for attackers with local access to the build system. The vulnerability requires local privileges (PR:L in the CVSS vector) but no user interaction and a straightforward attack complexity. On shared CI/CD runners, containerized build agents, or multi-tenant development machines, an unprivileged attacker or compromised process can execute the attack. However, the attack does require prior local presence on the target host; remote exploitation is not feasible.
Remediation
Upgrade CodexBar to version 0.32.0 or later immediately. The patched version addresses temporary file handling by using cryptographically secure temporary directories and validating file ownership before read or write operations. Organizations should also audit any API keys or credentials that may have been exposed during the window of vulnerability and rotate App Store Connect credentials if compromise is suspected.
Patch guidance
Apply CodexBar version 0.32.0 or later to all build systems, CI/CD pipelines, and developer machines currently running affected versions. Verify the update through the official CodexBar release channel and test in a non-production environment first to ensure compatibility with your release workflow. After patching, regenerate and rotate any App Store Connect API keys used during the vulnerability window as a precaution.
Detection guidance
Review CodexBar logs for unusual file access patterns in the temporary directory where notarization workflows execute (typically system temp directories). Look for symbolic links, hard links, or files created by unexpected users in locations where CodexBar writes temporary files. Monitor file integrity and permission changes in release artifact directories. If CodexBar is running in a CI/CD environment, check for unauthorized process execution or credential access attempts coinciding with release builds. Examine App Store Connect audit logs for unexpected API calls, key rotations, or account changes during the affected version's deployment period.
Why prioritize this
This vulnerability scores HIGH (CVSS 7.1) and poses direct supply chain and credential theft risks in development environments. While local-only exploitability somewhat constrains its scope, the ability to compromise App Store Connect credentials and inject malware into release artifacts makes it a critical priority for any organization using CodexBar. The vulnerability affects a foundational part of the release pipeline; compromise here cascades to end users.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects high impact (confidentiality: H, integrity: H) with local attack vector and low attack complexity. The score does not require user interaction and affects only the confidentiality and integrity of data (availability: N), typical of temporary file and privilege escalation issues. The LOCAL attack vector and LOW privilege requirement prevent a CRITICAL rating, but the dual impact on credential theft and artifact tampering justifies HIGH severity.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-49135 requires local access to the build machine where CodexBar runs. Remote exploitation is not possible. However, in cloud-based CI/CD environments or shared build infrastructure, the threat model includes compromised container workloads, malicious internal processes, or lateral movement after initial compromise.
How do I know if my App Store Connect credentials were stolen?
Check your App Store Connect audit logs for unexpected API calls, key access events, or credential rotations. If CodexBar was running on an unpatched version and you suspect compromise, preemptively rotate your App Store Connect API keys and review recent app uploads for unauthorized changes. If you detect suspicious activity, contact Apple Support immediately.
Do I need to rotate my API keys even if I patch CodexBar now?
If your organization cannot confirm that CodexBar was running on an unpatched version in a multi-user or untrusted environment, rotation is a prudent defensive measure. If CodexBar ran only in isolated, single-user environments, the risk of compromise is lower but not zero. Verify your deployment model and incident logs to make an informed decision.
Is CodexBar still safe to use after upgrading to 0.32.0?
Yes. Version 0.32.0 and later address the root causes of insecure temporary file handling. After upgrading, CodexBar uses secure temporary directory practices and validates file ownership, eliminating the attack vectors described in this vulnerability.
This analysis is based on published CVE data and vendor advisories as of the modification date. Organizations should verify patch availability and compatibility with their specific CodexBar deployment before applying updates. No exploit code or weaponized proof-of-concept is provided. Security teams should engage with CodexBar maintainers or support channels for deployment-specific questions. This document is for informational purposes and does not constitute professional security advice; consult with your organization's security and legal teams before taking action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41236HIGHFroxlor 2.3.6 Symlink Privilege Escalation to Root
- CVE-2026-49134HIGHCodexBar Privilege Escalation in CLI Installer (Race Condition)
- CVE-2026-11322MEDIUMHermes WebUI Path Traversal Vulnerability – Credential Exposure Risk
- CVE-2026-40861MEDIUMApache Airflow Path Traversal – Log Directory Symlink and Directory Escape Vulnerability
- CVE-2026-45403LOWAnythingLLM Path Traversal via Symlink Abuse – Patch to 1.13.0
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10