How is CVE-2026-43625 exploited?

Network reachability (required): The attacker must be positioned on the network path between the client and the provider endpoint to intercept the cleartext HTTP request carrying session cookies. Authentication (not-required): No account or credential of any privilege level is needed; the attacker passively intercepts traffic on the network path. Victim interaction (not-required): No user action such as clicking a link or opening a file is required; the interception occurs transparently during normal session activity. Attack complexity (info): While the exploit itself is straightforward once positioned, the attacker requires a specific network precondition (being on the network path during a redirect), which CVSS AT:P reflects as an attack requirement rather than a free-standing complexity barrier.

What is the impact of CVE-2026-43625?

Reads imported browser session cookies for Amp and Ollama provider sessions as they traverse the network in cleartext. Replays captured session cookies to authenticate as the victim user against the affected provider, gaining full session-level access. Leaves confidentiality of stored data and service integrity intact at the server side, but session hijacking gives the attacker the same access rights the victim holds.

Back to search

HIGHCVE-2026-43625Published 2026-06-01Modified 2026-06-01CNA VulnCheck

CVE-2026-43625: CodexBar < 0.32.0 Session Cookie Exposure via HTTP Redirect

Q: What is CVE-2026-43625?

Session cookie leakage in CodexBar (versions before 0.32.0) allows a network-positioned attacker to intercept cleartext HTTP requests that carry imported browser session cookies. The flaw stems from improper redirect handling for Amp and Ollama provider sessions, where a provider-controlled redirect can route session cookies over unencrypted HTTP. No authentication is needed to exploit this; a successful attacker reads the victim's session cookies in transit, which can be replayed to hijack authenticated sessions. A patched-image rebuild at version 0.32.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-43625 fixed?

A patched-image rebuild at CodexBar 0.32.0 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a PR against affected workloads automatically.

CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: 0.32.0
Affected Products: 1

HarborGuard Analysis

Synopsis

Session cookie leakage in CodexBar (versions before 0.32.0) allows a network-positioned attacker to intercept cleartext HTTP requests that carry imported browser session cookies. The flaw stems from improper redirect handling for Amp and Ollama provider sessions, where a provider-controlled redirect can route session cookies over unencrypted HTTP. No authentication is needed to exploit this; a successful attacker reads the victim's session cookies in transit, which can be replayed to hijack authenticated sessions. A patched-image rebuild at version 0.32.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-43625 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle CodexBar below 0.32.0.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.2 HIGH and weighting it against each environment's compliance policy to route findings to the appropriate team inbox inside each customer org.

Available

Patch

A patched-image rebuild at CodexBar 0.32.0 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be positioned on the network path between the client and the provider endpoint to intercept the cleartext HTTP request carrying session cookies.
AuthenticationNot required
No account or credential of any privilege level is needed; the attacker passively intercepts traffic on the network path.
Victim interactionNot required
No user action such as clicking a link or opening a file is required; the interception occurs transparently during normal session activity.
Attack complexityDetail
While the exploit itself is straightforward once positioned, the attacker requires a specific network precondition (being on the network path during a redirect), which CVSS AT:P reflects as an attack requirement rather than a free-standing complexity barrier.

Blast Radius

Reads imported browser session cookies for Amp and Ollama provider sessions as they traverse the network in cleartext.
Replays captured session cookies to authenticate as the victim user against the affected provider, gaining full session-level access.
Leaves confidentiality of stored data and service integrity intact at the server side, but session hijacking gives the attacker the same access rights the victim holds.

How HarborGuard Handles This

Available on HarborGuard: detection of CodexBar below 0.32.0 fires within minutes of CVE publication and is matched against all images in customer registries and CI pipelines. A patched-image rebuild at version 0.32.0 is available for any environment where a vulnerable image is identified. Where compliance policy permits, auto-remediation customers receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For teams that cannot immediately rebuild, consider isolating CodexBar workloads behind a network policy that restricts outbound HTTP (non-TLS) egress to provider domains, and audit whether imported session cookies are scoped to the minimum necessary permissions until the 0.32.0 image is deployed.

See how HarborGuard automates this

Fix available

0.32.0

Patch commits

github.com

Affected packages

steipete / CodexBar
< 0.32.0 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available