CVE-2026-49949

Source
https://cve.org/CVERecord?id=CVE-2026-49949
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49949.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49949
Published
2026-06-11T18:55:27.671Z
Modified
2026-07-08T08:12:35.233422770Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
CodexBar < 0.33.0 Credential Leakage via HTTP Redirect
Details

CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared ProviderHTTPClient transport. Attackers can redirect credentialed provider requests carrying browser cookies, bearer tokens, or API keys to an unintended host, port, or plaintext HTTP destination to capture those credentials.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49949.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-522"
    ]
}
References

Affected packages

Git / github.com/steipete/codexbar

Affected ranges

Type
GIT
Repo
https://github.com/steipete/codexbar
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.33.0"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.1.2
v0.10.0
v0.11.0
v0.11.1
v0.11.2
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.17.0
v0.18.0
v0.18.0-beta.1
v0.18.0-beta.2
v0.18.0-beta.3
v0.19.0
v0.2.0
v0.2.1
v0.2.2
v0.20
v0.20.0-beta.1
v0.21
v0.22
v0.23
v0.24
v0.25
v0.25.1
v0.26.0
v0.26.1
v0.27.0
v0.28.0
v0.29.0
v0.29.1
v0.3.0
v0.30.0
v0.30.1
v0.31.0
v0.32.0
v0.32.1
v0.32.2
v0.32.3
v0.32.4
v0.32.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.1
v0.9.0
v0.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49949.json"