What is GHSA-8v4r-w49g-jc9w?

GHSA-8v4r-w49g-jc9w is a security advisory published by GitHub Security Advisories with High severity. CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows...

Which CVE IDs does GHSA-8v4r-w49g-jc9w cover?

GHSA-8v4r-w49g-jc9w covers the following CVE IDs: CVE-2026-49135. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-8v4r-w49g-jc9w?

GHSA-8v4r-w49g-jc9w has a CVSS v3 base score of 7.1, published by GitHub Security Advisories.

GHSA-8v4r-w49g-jc9wHighCVSS 7.1

CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows...

Vendor

GitHub Security Advisories

Published

June 1, 2026

Last Modified

June 1, 2026

🔗 CVE IDs covered (1)

CVE-2026-49135 →

📋 Description

CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-49135
https://github.com/steipete/CodexBar/pull/1228
https://github.com/steipete/CodexBar/commit/e7d932616508cee43ea9bcc63c269b14698de655
https://github.com/steipete/CodexBar/releases/tag/v0.32.0
https://www.vulncheck.com/advisories/codexbar-insecure-temporary-file-handling-in-notarization-workflow
https://github.com/advisories/GHSA-8v4r-w49g-jc9w