CVE-2026-49135
CodexBar Insecure Temp File Handling Prior to 0.32.0
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codexbar | codexbar | to 0.32.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-377 | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49135 is an insecure temporary file handling vulnerability in CodexBar versions prior to 0.32.0. It allows local attackers who have access to the same host to exploit predictable file paths used in the release notarization workflow.
Attackers can read sensitive credentials such as the App Store Connect API key, which is written to a fixed path. They can also pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations or tamper with notarization archives before submission.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive credentials, such as the App Store Connect API key, by local attackers.
Attackers can also tamper with build artifacts or notarization archives, potentially compromising the integrity of software releases.