CVE-2026-49949

MEDIUM 5.3

CodexBar < 0.33.0 Credential Leakage via HTTP Redirect

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared ProviderHTTPClient transport. Attackers can redirect credentialed provider requests carrying browser cookies, bearer tokens, or API keys to an unintended host, port, or plaintext HTTP destination to capture those credentials.

CWE	CWE-522
Vendor	steipete
Product	codexbar
Published	Jun 11, 2026

Stay Ahead of the Next One

Get instant alerts for steipete codexbar

Be the first to know when new medium vulnerabilities affecting steipete codexbar are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

steipete / CodexBar

0 < 0.33.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/steipete/CodexBar/releases/tag/v0.33.0 github.com: https://github.com/steipete/CodexBar/pull/1237 github.com: https://github.com/steipete/CodexBar/commit/08c171b6b487654a0eb188494fa24bd1c4272a2e vulncheck.com: https://www.vulncheck.com/advisories/codexbar-credential-leakage-via-http-redirect

Credits

Chia Min Jun Lennon