CVE-2026-49135
Description
CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.
Affected products
1Patches
1e7d932616508fix: isolate notarization temp files
1 file changed · +15 −5
Scripts/sign-and-notarize.sh+15 −5 modified@@ -17,8 +17,18 @@ if [[ -z "${APP_STORE_CONNECT_API_KEY_P8:-}" || -z "${APP_STORE_CONNECT_KEY_ID:- echo "Missing APP_STORE_CONNECT_* env vars (API key, key id, issuer id)." >&2 exit 1 fi -echo "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > /tmp/codexbar-api-key.p8 -trap 'rm -f /tmp/codexbar-api-key.p8 /tmp/${APP_NAME}Notarize.zip' EXIT + +NOTARIZATION_TEMP_DIR=$(mktemp -d "${TMPDIR:-/tmp}/codexbar-notarize.XXXXXX") +chmod 700 "$NOTARIZATION_TEMP_DIR" +API_KEY_PATH="$NOTARIZATION_TEMP_DIR/codexbar-api-key.p8" +NOTARIZATION_ZIP="$NOTARIZATION_TEMP_DIR/${APP_NAME}Notarize.zip" +trap 'rm -rf "$NOTARIZATION_TEMP_DIR"' EXIT + +( + umask 077 + printf '%s' "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > "$API_KEY_PATH" +) +chmod 600 "$API_KEY_PATH" ARCH_LIST=( ${ARCHES_VALUE} ) for ARCH in "${ARCH_LIST[@]}"; do @@ -52,11 +62,11 @@ codesign --force --timestamp --options runtime --sign "$APP_IDENTITY" \ "$APP_BUNDLE" DITTO_BIN=${DITTO_BIN:-/usr/bin/ditto} -"$DITTO_BIN" --norsrc -c -k --keepParent "$APP_BUNDLE" "/tmp/${APP_NAME}Notarize.zip" +"$DITTO_BIN" --norsrc -c -k --keepParent "$APP_BUNDLE" "$NOTARIZATION_ZIP" echo "Submitting for notarization" -xcrun notarytool submit "/tmp/${APP_NAME}Notarize.zip" \ - --key /tmp/codexbar-api-key.p8 \ +xcrun notarytool submit "$NOTARIZATION_ZIP" \ + --key "$API_KEY_PATH" \ --key-id "$APP_STORE_CONNECT_KEY_ID" \ --issuer "$APP_STORE_CONNECT_ISSUER_ID" \ --wait
Vulnerability mechanics
Root cause
"The application uses predictable file paths for temporary files during the notarization process, allowing attackers to manipulate these files."
Attack vector
Local attackers with access to the same host can exploit predictable temporary file paths used by the notarization workflow. By pre-creating files or symbolic links at locations like `/tmp/codexbar-api-key.p8` or `/tmp/${APP_NAME}Notarize.zip`, an attacker can redirect sensitive data, such as the App Store Connect API key, to attacker-controlled destinations. This allows for credential theft or tampering with build artifacts before they are submitted for notarization [ref_id=1].
Affected code
The vulnerability lies in the script's handling of temporary files for notarization, specifically the use of fixed paths like `/tmp/codexbar-api-key.p8` and `/tmp/${APP_NAME}Notarize.zip` [ref_id=1]. The patch modifies these sections to utilize a dynamically created temporary directory.
What the fix does
The patch addresses the predictable temporary file handling by creating a unique, temporary directory for notarization artifacts using `mktemp -d`. This isolates the temporary files, including the API key and the notarization zip archive, within this secure directory. The `trap` command is updated to recursively remove this directory upon exit, ensuring cleanup and preventing attackers from accessing or manipulating these files through predictable paths [ref_id=1].
Preconditions
- authAttacker must have access to the same host where CodexBar is running.
- configThe environment variables APP_STORE_CONNECT_API_KEY_P8, APP_STORE_CONNECT_KEY_ID, and APP_STORE_CONNECT_ISSUER_ID must be set for the notarization process to be triggered.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.