CVE-2026-49949
Deferred Deferred - Pending Action

Credential Forwarding Flaw in CodexBar Before 0.33.0

Vulnerability report for CVE-2026-49949, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VulnCheck

Description

CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared ProviderHTTPClient transport. Attackers can redirect credentialed provider requests carrying browser cookies, bearer tokens, or API keys to an unintended host, port, or plaintext HTTP destination to capture those credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
steipete codexbar to 0.33.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49949 is a credential forwarding vulnerability in CodexBar versions before 0.33.0. It allows network-adjacent attackers to intercept sensitive credentials by exploiting cross-origin or HTTP-downgrade redirects in the shared ProviderHTTPClient transport.

Attackers can manipulate redirects to send credentialed provider requestsβ€”carrying browser cookies, bearer tokens, or API keysβ€”to unintended hosts, ports, or plaintext HTTP destinations, thereby capturing those sensitive credentials.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credentials such as browser cookies, bearer tokens, or API keys.

An attacker positioned on the same network can intercept these credentials by forcing redirects to malicious or unintended destinations, potentially gaining unauthorized access to user accounts or services.

Such credential leakage can compromise user privacy, allow impersonation, and lead to further exploitation of affected systems or services.

Detection Guidance

This vulnerability involves credential forwarding via cross-origin or HTTP-downgrade redirects in the CodexBar ProviderHTTPClient transport. Detection would involve monitoring network traffic for unexpected redirects that carry sensitive credentials such as browser cookies, bearer tokens, or API keys to unintended hosts, ports, or plaintext HTTP destinations.

To detect this on your system or network, you can monitor HTTP(S) requests made by CodexBar or related processes and look for redirect responses (HTTP 3xx status codes) that lead to different origins or downgrade from HTTPS to HTTP.

Suggested commands include using network traffic capture tools such as tcpdump or Wireshark to filter HTTP redirect responses and analyze the destination URLs:

  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use Wireshark to filter HTTP response codes with: http.response.code == 301 || http.response.code == 302 || http.response.code == 307 || http.response.code == 308

Additionally, inspecting application logs or enabling verbose/debug logging in CodexBar (if supported) to track redirect URLs and their origins can help identify suspicious redirect behavior.

Mitigation Strategies

The primary mitigation is to upgrade CodexBar to version 0.33.0 or later, where the vulnerability has been fixed by introducing a redirect guard mechanism that blocks cross-origin and HTTP-downgrade redirects carrying credentials.

This fix ensures that provider HTTP requests only follow same-origin HTTPS redirects, preventing credential leakage to unintended hosts, ports, or plaintext HTTP destinations.

  • Upgrade CodexBar to version 0.33.0 or newer.
  • If upgrading immediately is not possible, consider restricting network access to prevent network-adjacent attackers from intercepting or redirecting traffic.
  • Monitor and audit network traffic for suspicious redirects as a temporary detection measure.

Applying the patch or update is the most effective and recommended step to mitigate this vulnerability.

Compliance Impact

The vulnerability in CodexBar before version 0.33.0 allows network-adjacent attackers to intercept sensitive credentials such as browser cookies, bearer tokens, or API keys by exploiting cross-origin or HTTP-downgrade redirects. This exposure of sensitive authentication data could lead to unauthorized access to personal or protected information.

Such leakage of sensitive credentials can negatively impact compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access or disclosure.

By allowing credential interception, the vulnerability increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart