How is CVE-2026-49134 exploited?

Network reachability (required): The vulnerable service must be reachable over the network for the initial attack surface to apply, per AV:N in the CVSS vector. Authentication (required): A low-privilege account is sufficient; the attacker must already have a local session as the same user running the installer, per PR:L. Victim interaction (required): The legitimate user must take an action, specifically approving the administrator privilege prompt during the installer run, providing the exploitation window, per UI:P. Attack complexity (info): Exploitation depends on winning a race condition between the temp file write and the privileged execution step, meaning timing and environmental factors affect reliability, per AC:H.

What is the impact of CVE-2026-49134?

A successful attacker executes arbitrary commands as root on the host running the installer. Full read access to all files and secrets on the system is gained, including credentials, keys, and sensitive application data (VC:H). The attacker can modify or delete any file on the system, including binaries, configuration, and persisted data (VI:H). The attacker can terminate or disrupt any process on the host, bringing down services entirely (VA:H).

Back to search

HIGHCVE-2026-49134Published 2026-06-01Modified 2026-06-02CNA VulnCheck

CVE-2026-49134: CodexBar < 0.32.0 Privilege Escalation via CLI Installer Temp File

Q: What is CVE-2026-49134?

A privilege escalation vulnerability exists in the CLI installer of CodexBar prior to version 0.32.0. The installer creates a temporary file using mktemp, writes a privileged shell payload into it, and then executes it as root; a local attacker running as the same user can overwrite that temporary file in the window between creation and execution, causing attacker-controlled commands to run as root. A patched-image rebuild at version 0.32.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-49134 fixed?

A patched-image rebuild pinned to CodexBar 0.32.0 is available for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a privileged shell payload into it, and executes it with administrator privileges via bash, allowing a same-user local process to rewrite the installer body before the administrator prompt is approved, causing attacker-controlled commands to run as root.

CVSS v4.0: 7.5
Severity: HIGH
Fixed in: 0.32.0
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in the CLI installer of CodexBar prior to version 0.32.0. The installer creates a temporary file using mktemp, writes a privileged shell payload into it, and then executes it as root; a local attacker running as the same user can overwrite that temporary file in the window between creation and execution, causing attacker-controlled commands to run as root. A patched-image rebuild at version 0.32.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49134 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the CodexBar CLI installer. Any image layer containing a CodexBar binary below 0.32.0 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured escalation rules.

Available

Patch

A patched-image rebuild pinned to CodexBar 0.32.0 is available for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network for the initial attack surface to apply, per AV:N in the CVSS vector.
AuthenticationRequired
A low-privilege account is sufficient; the attacker must already have a local session as the same user running the installer, per PR:L.
Victim interactionRequired
The legitimate user must take an action, specifically approving the administrator privilege prompt during the installer run, providing the exploitation window, per UI:P.
Attack complexityDetail
Exploitation depends on winning a race condition between the temp file write and the privileged execution step, meaning timing and environmental factors affect reliability, per AC:H.

Blast Radius

A successful attacker executes arbitrary commands as root on the host running the installer.
Full read access to all files and secrets on the system is gained, including credentials, keys, and sensitive application data (VC:H).
The attacker can modify or delete any file on the system, including binaries, configuration, and persisted data (VI:H).
The attacker can terminate or disrupt any process on the host, bringing down services entirely (VA:H).

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49134 activates the moment the advisory is ingested, matching against all images in connected registries and CI pipelines. For environments where the affected CodexBar version is present, a rebuilt image at 0.32.0 is ready to deploy. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before patching, the finding is routed to the designated team inbox with full CVSS context and a direct link to the fix-version rebuild.

See how HarborGuard automates this

Fix available

0.32.0

Patch commits

github.com

Affected packages

steipete / CodexBar
< 0.32.0 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available