CodexBar: Three Bugs Disclosed — SSRF, Disk Exhaustion, and Credential Forwarding

Key findings

• CVE-2026-53782 is a high-severity SSRF in Summarize <0.17.0 via malicious podcast transcript links
• CVE-2026-53781 allows disk exhaustion by bypassing media size limits through malformed HTTP responses
• CVE-2026-49949 lets network-adjacent attackers intercept credentials via cross-origin redirects
• All three bugs require an attacker to control a podcast RSS feed or be on the same network segment
• Patches released in Summarize 0.17.0 and CodexBar 0.33.0

CodexBar, the open-source podcasting application, disclosed three security vulnerabilities on June 11, 2026, affecting its Summarize and core networking components. The batch includes a high-severity server-side request forgery (SSRF) flaw, a medium-severity resource exhaustion bug, and a medium-severity credential forwarding issue — all of which require an attacker to control a podcast RSS feed or be network-adjacent, but together paint a concerning picture of trust assumptions in podcast content ingestion.

The most severe of the three, **CVE-2026-53782** (CVSS 7.4, High), is an SSRF vulnerability in Summarize versions before 0.17.0. An attacker who controls a podcast RSS feed can craft a malicious podcast:transcript link that directs the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations. This could allow an attacker to probe internal services, read metadata from cloud instance endpoints, or interact with otherwise inaccessible systems on the host's internal network.

**CVE-2026-53781** (CVSS 4.3, Medium) is a resource exhaustion vulnerability also in Summarize before 0.17.0. Remote attackers can cause disk exhaustion by serving media responses that bypass the enforced size limit. The bypass works through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests. An attacker who controls a podcast feed could trick Summarize into downloading arbitrarily large files, filling the host's disk and potentially causing a denial of service.

**CVE-2026-49949** (CVSS 5.3, Medium) affects CodexBar before version 0.33.0 and is a credential forwarding vulnerability in the shared ProviderHTTPClient transport. Network-adjacent attackers can intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects. When the client follows such redirects, browser cookies or other credentials attached to the original request may be forwarded to an attacker-controlled endpoint, enabling session hijacking or credential theft.

All three vulnerabilities were fixed in the respective version bumps: Summarize 0.17.0 patches CVE-2026-53782 and CVE-2026-53781, while CodexBar 0.33.0 patches CVE-2026-49949. Users are advised to update their installations promptly. No evidence of in-the-wild exploitation has been reported at the time of disclosure.

For podcasting application operators and self-hosted CodexBar users, this batch underscores the risks of trusting external podcast feed data — particularly transcript URLs and media size metadata. The SSRF and disk-exhaustion bugs both rely on an attacker controlling a feed, which is a realistic threat in a decentralized podcast ecosystem where feeds are ingested from arbitrary sources. The credential forwarding issue adds a network-layer concern for deployments where the attacker shares a local network segment with the CodexBar instance.