CodexBar < 0.33.0 Credential Leakage via HTTP Redirect
CVE-2026-49949

6MEDIUM

Key Information:

Vendor

Steipete

Status
Codexbar
Vendor
CVE Published:
11 June 2026

What is CVE-2026-49949?

CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared ProviderHTTPClient transport. Attackers can redirect credentialed provider requests carrying browser cookies, bearer tokens, or API keys to an unintended host, port, or plaintext HTTP destination to capture those credentials.

Affected Version(s)

CodexBar 0

References

https://github.com/steipete/CodexBar/releases/tag/v0.33.0
release-notes
https://github.com/steipete/CodexBar/pull/1237
issue-tracking
https://github.com/steipete/CodexBar/commit/08c171b6b4876...
patch

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.