How is CVE-2026-49135 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required. Authentication (required): Any low-privilege local account on the host is sufficient; no elevated or administrative rights are needed. Victim interaction (not-required): No action from another user is required; the attacker can exploit predictable paths independently. Attack complexity (info): Base exploit steps are condition-free, though the CVSS v4.0 vector notes an attack target prerequisite (AT:P), meaning the attacker must wait for or trigger the notarization workflow to be active.

What is the impact of CVE-2026-49135?

Reads the App Store Connect API key written to a fixed temporary path, giving the attacker credentials to interact with the App Store Connect API. Pre-creates files or symbolic links at predictable locations to redirect archive writes to attacker-controlled destinations. Tampers with notarization archives before submission, allowing injection of malicious content into the release artifact. Confidentiality and integrity of the host-local build process are both compromised; the running service itself is not disrupted.

Back to search

HIGHCVE-2026-49135Published 2026-06-01Modified 2026-06-02CNA VulnCheck

CVE-2026-49135: CodexBar < 0.32.0 Insecure Temporary File Handling in Notarization Workflow

Q: What is CVE-2026-49135?

Insecure temporary file handling in CodexBar, a release notarization workflow tool, allows a local attacker with a low-privilege account on the same host to read credentials or tamper with build artifacts. The vulnerability stems from predictable file paths written during the notarization process, enabling symlink attacks and pre-creation of files at those paths. Successful exploitation gives an attacker access to the App Store Connect API key or the ability to redirect notarization archives to attacker-controlled destinations. A patched-image rebuild at version 0.32.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-49135 fixed?

A patched-image rebuild at CodexBar 0.32.0 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: 0.32.0
Affected Products: 1

HarborGuard Analysis

Synopsis

Insecure temporary file handling in CodexBar, a release notarization workflow tool, allows a local attacker with a low-privilege account on the same host to read credentials or tamper with build artifacts. The vulnerability stems from predictable file paths written during the notarization process, enabling symlink attacks and pre-creation of files at those paths. Successful exploitation gives an attacker access to the App Store Connect API key or the ability to redirect notarization archives to attacker-controlled destinations. A patched-image rebuild at version 0.32.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49135 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle CodexBar versions below 0.32.0.

Available

Triage

HarborGuard scores this CVE at 7.2 HIGH using the CVSS v4.0 vector and is capable of weighting that score against each environment's compliance policy to route findings to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at CodexBar 0.32.0 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required.
AuthenticationRequired
Any low-privilege local account on the host is sufficient; no elevated or administrative rights are needed.
Victim interactionNot required
No action from another user is required; the attacker can exploit predictable paths independently.
Attack complexityDetail
Base exploit steps are condition-free, though the CVSS v4.0 vector notes an attack target prerequisite (AT:P), meaning the attacker must wait for or trigger the notarization workflow to be active.

Blast Radius

Reads the App Store Connect API key written to a fixed temporary path, giving the attacker credentials to interact with the App Store Connect API.
Pre-creates files or symbolic links at predictable locations to redirect archive writes to attacker-controlled destinations.
Tampers with notarization archives before submission, allowing injection of malicious content into the release artifact.
Confidentiality and integrity of the host-local build process are both compromised; the running service itself is not disrupted.

How HarborGuard Handles This

Available on HarborGuard: any image bundling CodexBar below 0.32.0 is flagged as soon as the CVE is ingested, typically within minutes of upstream publication. For customers who opt into auto-remediation, HarborGuard rebuilds the image at CodexBar 0.32.0, runs a regression check, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts automated changes, the finding is routed to the designated team inbox with the fix version and CVSS detail attached. Because the attack requires a local presence on the build host and an active notarization workflow, compensating controls such as restricting shell access to CI build nodes and running notarization steps in ephemeral, single-tenant containers can reduce exposure until the patched image is deployed.

See how HarborGuard automates this

Fix available

0.32.0

Patch commits

github.com

Affected packages

steipete / CodexBar
< 0.32.0 (from 0)

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available