CVE-2026-49134
Description
CodexBar versions prior to 0.32.0 have a privilege escalation vulnerability in the CLI installer, allowing local attackers to run commands as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CodexBar versions prior to 0.32.0 have a privilege escalation vulnerability in the CLI installer, allowing local attackers to run commands as root.
Vulnerability
CodexBar versions prior to 0.32.0 contain a privilege escalation vulnerability in the CLI installer. This vulnerability is exploitable by local attackers who can leverage a race condition in temporary file handling to execute arbitrary commands as root. The installer creates a temporary file using mktemp, writes a privileged shell payload into it, and then executes this payload with administrator privileges via bash. A local process, running as the same user, can rewrite the installer's body before the administrator prompt is approved, leading to attacker-controlled commands being executed with root privileges [4].
Exploitation
An attacker needs local access to the affected system. The exploitation involves a race condition where a local process, running as the same user, must rewrite the installer's temporary file before the administrator prompt is approved. The installer creates a temporary file, writes a payload, and then executes it with administrator privileges. By manipulating the temporary file content before execution, an attacker can cause arbitrary commands to be run as root [4]. The commit dbc944d indicates that the installer script was being constructed and executed via osascript with administrator privileges, which could be a target for manipulation [2].
Impact
Successful exploitation of this vulnerability allows a local attacker to execute arbitrary commands as the root user. This grants the attacker the highest level of privilege on the system, enabling them to perform any action, including reading sensitive data, modifying system configurations, installing malicious software, or completely compromising the system [4].
Mitigation
CodexBar version 0.32.0 and later contain a fix for this vulnerability [1]. The fix involves hardening the CLI installer's privilege boundary to avoid executing a same-user mutable temporary installer script across the macOS administrator privilege boundary [3, 2]. There are no other workarounds mentioned in the available references. The vulnerability was fixed in releases on or after May 30, 2026 [3].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1dbc944d46cd4fix: harden CLI installer privilege boundary
1 file changed · +14 −17
bin/install-codexbar-cli.sh+14 −17 modified@@ -10,23 +10,20 @@ if [[ ! -x "$HELPER" ]]; then exit 1 fi -install_script=$(mktemp) -cat > "$install_script" <<'EOF' -#!/usr/bin/env bash -set -euo pipefail -HELPER="__HELPER__" -TARGETS=("/usr/local/bin/codexbar" "/opt/homebrew/bin/codexbar") - -for t in "${TARGETS[@]}"; do - mkdir -p "$(dirname "$t")" - ln -sf "$HELPER" "$t" - echo "Linked $t -> $HELPER" -done -EOF - -perl -pi -e "s#__HELPER__#$HELPER#g" "$install_script" +osascript - "$HELPER" <<'APPLESCRIPT' +on run argv + set helperPath to item 1 of argv + set installCommand to "set -euo pipefail" & linefeed & ¬ + "HELPER=" & quoted form of helperPath & linefeed & ¬ + "TARGETS=(\"/usr/local/bin/codexbar\" \"/opt/homebrew/bin/codexbar\")" & linefeed & ¬ + "for t in \"${TARGETS[@]}\"; do" & linefeed & ¬ + " mkdir -p \"$(dirname \"$t\")\"" & linefeed & ¬ + " ln -sf \"$HELPER\" \"$t\"" & linefeed & ¬ + " echo \"Linked $t -> $HELPER\"" & linefeed & ¬ + "done" -osascript -e "do shell script \"bash '$install_script'\" with administrator privileges" -rm -f "$install_script" + do shell script "bash -c " & quoted form of installCommand with administrator privileges +end run +APPLESCRIPT echo "CodexBar CLI installed. Try: codexbar usage"
Vulnerability mechanics
Root cause
"A race condition exists in the CLI installer's temporary file handling, allowing a local attacker to modify a privileged script before it is executed."
Attack vector
A local attacker with user-level privileges can exploit this vulnerability. The installer creates a temporary file using `mktemp`, writes a privileged shell payload into it, and then executes this payload with administrator privileges via `bash` [ref_id=1]. A same-user local process can rewrite the installer's body before the administrator prompt is approved, causing attacker-controlled commands to run as root.
Affected code
The vulnerability lies within the CLI installer script, specifically in the handling of temporary files and the execution of privileged commands. The original script uses `mktemp` to create a temporary file, writes the installation logic to it, and then executes it with administrator privileges using `osascript -e "do shell script \"bash '$install_script'\" with administrator privileges"` [ref_id=1].
What the fix does
The patch hardens the CLI installer's privilege boundary by changing how the privileged shell command is constructed and executed [ref_id=1]. Instead of writing the script to a temporary file and then executing it, the new implementation uses `osascript` to directly execute the shell command with administrator privileges. This eliminates the window of opportunity for a race condition to occur, as the script is no longer written to a file that could be tampered with before execution.
Preconditions
- authAttacker must have local user-level privileges.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.