CVE-2026-43625 Overview
CVE-2026-43625 is a session cookie leakage vulnerability in CodexBar prior to version 0.32.0. The flaw stems from improper redirect handling when importing browser session cookies for the Amp and Ollama provider integrations. A network-positioned attacker can intercept imported session cookies if a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain. The vulnerability is classified under CWE-319: Cleartext Transmission of Sensitive Information.
Critical Impact
Network attackers on the path between the victim and the provider can capture imported browser session cookies in cleartext HTTP requests, enabling session hijacking against Amp and Ollama provider accounts.
Affected Products
- CodexBar versions prior to 0.32.0
- CodexBar Amp provider session import functionality
- CodexBar Ollama provider session import functionality
Discovery Timeline
- 2026-06-01 - CVE-2026-43625 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-43625
Vulnerability Analysis
CodexBar imports browser session cookies to authenticate against external AI provider services, including Amp and Ollama. During the import workflow, the client follows redirects issued by the provider domain without enforcing transport security on the resulting request. When a redirect chain terminates at a cleartext http:// endpoint within the same provider domain, the client transmits the imported session cookies over an unencrypted channel. An attacker positioned on the network path between the victim and the provider observes the cleartext request and extracts the session cookies.
Root Cause
The root cause is missing enforcement of HTTPS-only transport when following provider-controlled redirects during session cookie import. The client should reject downgrade redirects from HTTPS to HTTP for any request carrying sensitive credentials. Instead, the pre-0.32.0 redirect handler followed the redirect target as-issued, allowing a same-domain HTTP redirect to trigger cleartext transmission of session cookies.
Attack Vector
The attacker must occupy a network position capable of observing traffic between the victim host running CodexBar and the targeted provider domain. This includes shared Wi-Fi networks, compromised network infrastructure, and on-path ISP-level observation points. The attacker does not need to inject content or hold credentials. When the victim triggers a session cookie import and the provider redirect chain hits a cleartext HTTP endpoint, the imported cookies appear in the captured request. The attacker then replays the cookies to impersonate the victim against the Amp or Ollama provider.
No verified exploit code is publicly available. See the VulnCheck Security Advisory for additional technical detail.
Detection Methods for CVE-2026-43625
Indicators of Compromise
- Outbound http:// requests from CodexBar process to Amp or Ollama provider domains carrying Cookie headers.
- Unexpected redirect chains in CodexBar network logs that terminate at cleartext endpoints within provider domains.
- Session reuse from unfamiliar source IPs on Amp or Ollama provider accounts following a CodexBar session import event.
Detection Strategies
- Inspect host and network telemetry for CodexBar binary versions older than 0.32.0 and correlate with outbound cleartext HTTP traffic to known provider domains.
- Build network detection rules that flag any HTTP redirect from a known AI provider domain to a same-domain HTTP target.
- Alert on provider authentication events that occur from IP addresses geographically inconsistent with the user's CodexBar host.
Monitoring Recommendations
- Monitor egress traffic for cleartext HTTP requests carrying Cookie headers to Amp and Ollama provider FQDNs.
- Track CodexBar version inventory across managed endpoints and flag installations below 0.32.0.
- Review provider audit logs for anomalous session activity following any CodexBar cookie import operation.
How to Mitigate CVE-2026-43625
Immediate Actions Required
- Upgrade CodexBar to version 0.32.0 or later on all managed endpoints. See the GitHub Release v0.32.0 for the fixed build.
- Revoke and reissue any Amp and Ollama provider session cookies that were imported using a vulnerable CodexBar version.
- Audit Amp and Ollama provider account activity for unauthorized session use originating from unexpected IPs.
Patch Information
The vendor fixed the redirect handling logic in CodexBar 0.32.0. The corrective change is documented in GitHub Pull Request #1226 and applied in commit cdd7e347. The patch enforces HTTPS-only transport when following redirects during provider session import.
Workarounds
- Avoid using CodexBar session import for Amp and Ollama providers on untrusted networks until the upgrade to 0.32.0 is complete.
- Restrict CodexBar host traffic to trusted networks or route through a VPN that terminates outside any attacker-controlled segment.
- Enforce network-layer policies that block outbound cleartext HTTP traffic to Amp and Ollama provider domains.
# Verify CodexBar is at or above the fixed version
codexbar --version
# Expected output: 0.32.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
