CVE-2026-49135 Overview
CVE-2026-49135 is an insecure temporary file handling vulnerability in CodexBar prior to version 0.32.0. The flaw resides in the release notarization workflow, which writes sensitive material to predictable paths under /tmp. Local attackers on the same host can read the App Store Connect API key written to a fixed location. Attackers can also pre-create files or symbolic links at the predictable paths to redirect writes to attacker-controlled destinations. The same technique enables tampering with notarization archives before submission. The issue is classified under CWE-59: Link Following.
Critical Impact
Local attackers can steal App Store Connect API keys and tamper with signed build artifacts by abusing predictable temporary file paths in the notarization workflow.
Affected Products
- CodexBar versions prior to 0.32.0
- The Scripts/sign-and-notarize.sh notarization script
- macOS build hosts running the affected CodexBar release pipeline
Discovery Timeline
- 2026-06-01 - CVE-2026-49135 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49135
Vulnerability Analysis
The vulnerable sign-and-notarize.sh script writes the App Store Connect API key to /tmp/codexbar-api-key.p8 and the notarization archive to /tmp/${APP_NAME}Notarize.zip. Both paths are static and world-predictable. Any local user on the build host can race the script, pre-create these paths, or replace them with symbolic links pointing to attacker-controlled locations. The script does not apply restrictive permissions or use a private temporary directory before writing the secret.
Root Cause
The root cause is the use of fixed, predictable paths inside the shared /tmp directory combined with absent umask hardening and no symlink-safe creation. The API key file is written without chmod 600 enforcement before the write, and the parent directory is shared across all local users. This matches the [CWE-59] link-following weakness pattern.
Attack Vector
Exploitation requires local access to the build host with low privileges. An attacker pre-creates /tmp/codexbar-api-key.p8 as a symbolic link to a path they control, or races to read the file during the brief window it exists. The same technique applied to /tmp/${APP_NAME}Notarize.zip lets the attacker swap the archive contents before notarytool submits it to Apple.
echo "Missing APP_STORE_CONNECT_* env vars (API key, key id, issuer id)." >&2
exit 1
fi
-echo "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > /tmp/codexbar-api-key.p8
-trap 'rm -f /tmp/codexbar-api-key.p8 /tmp/${APP_NAME}Notarize.zip' EXIT
+
+NOTARIZATION_TEMP_DIR=$(mktemp -d "${TMPDIR:-/tmp}/codexbar-notarize.XXXXXX")
+chmod 700 "$NOTARIZATION_TEMP_DIR"
+API_KEY_PATH="$NOTARIZATION_TEMP_DIR/codexbar-api-key.p8"
+NOTARIZATION_ZIP="$NOTARIZATION_TEMP_DIR/${APP_NAME}Notarize.zip"
+trap 'rm -rf "$NOTARIZATION_TEMP_DIR"' EXIT
+
+(
+ umask 077
+ printf '%s' "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > "$API_KEY_PATH"
+)
+chmod 600 "$API_KEY_PATH"
Source: GitHub Commit e7d9326
Detection Methods for CVE-2026-49135
Indicators of Compromise
- Presence of /tmp/codexbar-api-key.p8 as a symbolic link rather than a regular file
- Unexpected file ownership or permissions on /tmp/codexbar-api-key.p8 or /tmp/*Notarize.zip
- Access events on the API key path by processes other than the notarization script
- Modification timestamps on notarization archives that predate the build invocation
Detection Strategies
- Audit the build host for open and readlink syscalls targeting /tmp/codexbar-api-key.p8 outside the signing pipeline
- Run integrity checks comparing the SHA-256 of the notarization ZIP before and after notarytool submission
- Review shell history and process accounting for non-pipeline access to predictable CodexBar temp paths
Monitoring Recommendations
- Enable macOS Endpoint Security file-event telemetry for the /tmp directory on build hosts
- Alert on creation of symbolic links inside /tmp whose names match CodexBar artifact patterns
- Track all reads of *.p8 files outside of approved CI/CD service accounts
How to Mitigate CVE-2026-49135
Immediate Actions Required
- Upgrade CodexBar to version 0.32.0 or later, which isolates notarization files in a per-invocation mktemp -d directory with mode 700
- Rotate the App Store Connect API key referenced by APP_STORE_CONNECT_API_KEY_P8 if the build host is multi-user or shared
- Re-verify recent notarized release artifacts against trusted source builds to rule out tampering
Patch Information
The fix landed in GitHub Pull Request #1228 and shipped in GitHub Release v0.32.0. The patch replaces fixed /tmp/codexbar-api-key.p8 and /tmp/${APP_NAME}Notarize.zip paths with mktemp -d directories, applies umask 077 during key write, and enforces chmod 600 on the key file. Full technical context is available in the VulnCheck Security Advisory.
Workarounds
- Run CodexBar notarization only on dedicated single-user build hosts where no untrusted local accounts exist
- Override TMPDIR to a private per-user directory with mode 700 before invoking sign-and-notarize.sh
- Wrap the script to pre-create the target paths as regular files with mode 600 and verify they are not symlinks before each run
# Configuration example: enforce a private TMPDIR before notarization
export TMPDIR="$(mktemp -d "$HOME/.codexbar-build.XXXXXX")"
chmod 700 "$TMPDIR"
./Scripts/sign-and-notarize.sh
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
