CodexBar: session cookie leak via HTTP redirect — MEDIUM (CVE-2026-43625)

CISO Take

CodexBar prior to v0.32.0 improperly follows provider-issued redirects to cleartext HTTP endpoints, exposing imported browser session cookies to any attacker positioned on the network path between the developer's workstation and the Amp or Ollama inference provider. While exploitation requires high attack complexity—specifically network-path positioning—the confidentiality impact is rated High, meaning a successful intercept yields full, replayable authentication credentials for the victim's AI inference sessions. There is no entry in CISA KEV and no known public exploit, but developers operating on shared or corporate networks who have not yet upgraded face real credential-theft risk for their local LLM and Amp sessions. Upgrade to CodexBar v0.32.0 immediately, rotate any previously imported session cookies, and enforce HTTPS-only policies on Ollama API endpoints to eliminate the cleartext fallback path.

Sources: NVD ATLAS GitHub Advisory vulncheck.com

What is the risk?

Medium severity overall, but with targeted high-value impact for AI developer workflows. The High Attack Complexity (AC:H) caps opportunistic exploitation—the attacker must be on the network path—but in shared corporate WiFi, cloud development environments, or hub-and-spoke VPNs this threshold is significantly lower than in isolated setups. The High Confidentiality impact means a successful exploit fully compromises AI provider credentials, not partial data exposure. No KEV listing and unavailable EPSS data limit urgency, but the specific targeting of Ollama and Amp inference sessions makes this directly relevant for security teams governing AI developer tooling.

Attack Kill Chain

Network Positioning

Attacker gains network-path visibility between the developer's CodexBar instance and the Amp or Ollama provider, via ARP spoofing, rogue access point, or privileged network access on a shared segment.

AML.T0006

Redirect Interception

A provider-controlled endpoint issues a redirect response to a cleartext HTTP URL within the same provider domain; CodexBar follows the redirect without stripping the imported session cookie.

AML.T0049

Credential Harvest

Session cookie is transmitted in cleartext over HTTP and captured by the network-positioned attacker from a single intercepted request.

AML.T0055

Inference API Abuse

Attacker replays the stolen session cookie to authenticate against Ollama or Amp inference APIs, gaining full access to the victim's AI sessions, query history, and ongoing inference capabilities.

AML.T0040

Network Positioning

Attacker gains network-path visibility between the developer's CodexBar instance and the Amp or Ollama provider, via ARP spoofing, rogue access point, or privileged network access on a shared segment.

AML.T0006

Redirect Interception

A provider-controlled endpoint issues a redirect response to a cleartext HTTP URL within the same provider domain; CodexBar follows the redirect without stripping the imported session cookie.

AML.T0049

Credential Harvest

Session cookie is transmitted in cleartext over HTTP and captured by the network-positioned attacker from a single intercepted request.

AML.T0055

Inference API Abuse

Attacker replays the stolen session cookie to authenticate against Ollama or Amp inference APIs, gaining full access to the victim's AI sessions, query history, and ongoing inference capabilities.

AML.T0040

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 6% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Upgrade CodexBar to v0.32.0 (commit cdd7e347) immediately—this is the only complete fix.
Rotate all imported session cookies for Amp and Ollama integrations in any environment that ran a vulnerable version on a shared or untrusted network.
Audit network traffic logs for unexpected cleartext HTTP requests from CodexBar processes to Ollama or Amp provider domains—these may indicate past exploitation.
At the network layer, enforce HTTPS-only policies on Ollama API endpoints and block HTTP fallback via firewall rules or Ollama configuration.
While unpatched, prohibit CodexBar use on untrusted networks (public WiFi, uncontrolled VPNs, shared cloud dev environments).
Consider network-level monitoring for abnormal Ollama API session reuse from unexpected source IPs.

Classification

Data Leakage Auth Bypass Inference API AML.T0025 - Exfiltration via Cyber Means AML.T0040 - AI Model Inference API Access AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - Information security in AI system design

NIST AI RMF

MANAGE-2.2 - AI risk management mechanisms

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-43625?

CodexBar prior to v0.32.0 improperly follows provider-issued redirects to cleartext HTTP endpoints, exposing imported browser session cookies to any attacker positioned on the network path between the developer's workstation and the Amp or Ollama inference provider. While exploitation requires high attack complexity—specifically network-path positioning—the confidentiality impact is rated High, meaning a successful intercept yields full, replayable authentication credentials for the victim's AI inference sessions. There is no entry in CISA KEV and no known public exploit, but developers operating on shared or corporate networks who have not yet upgraded face real credential-theft risk for their local LLM and Amp sessions. Upgrade to CodexBar v0.32.0 immediately, rotate any previously imported session cookies, and enforce HTTPS-only policies on Ollama API endpoints to eliminate the cleartext fallback path.

Is CVE-2026-43625 actively exploited?

No confirmed active exploitation of CVE-2026-43625 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-43625?

1. Upgrade CodexBar to v0.32.0 (commit cdd7e347) immediately—this is the only complete fix. 2. Rotate all imported session cookies for Amp and Ollama integrations in any environment that ran a vulnerable version on a shared or untrusted network. 3. Audit network traffic logs for unexpected cleartext HTTP requests from CodexBar processes to Ollama or Amp provider domains—these may indicate past exploitation. 4. At the network layer, enforce HTTPS-only policies on Ollama API endpoints and block HTTP fallback via firewall rules or Ollama configuration. 5. While unpatched, prohibit CodexBar use on untrusted networks (public WiFi, uncontrolled VPNs, shared cloud dev environments). 6. Consider network-level monitoring for abnormal Ollama API session reuse from unexpected source IPs.

What systems are affected by CVE-2026-43625?

This vulnerability affects the following AI/ML architecture patterns: AI coding assistants, Local LLM inference (Ollama), Developer AI tooling.

What is the CVSS score for CVE-2026-43625?

CVE-2026-43625 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.02%.

AI Security Impact

Affected AI Architectures

AI coding assistantsLocal LLM inference (Ollama)Developer AI tooling

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0040 AI Model Inference API Access

AML.T0055 Unsecured Credentials

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06

Technical Details

Original Advisory

CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain.

Exploitation Scenario

An attacker on the same corporate network or VPN segment deploys passive network sniffing or ARP spoofing to position themselves on the traffic path from a developer's workstation to their Ollama inference endpoint. The developer opens CodexBar and connects to their Ollama or Amp provider, which issues a 30x redirect response pointing to a cleartext HTTP URL within the same provider domain. CodexBar follows the redirect without stripping the session cookie, transmitting it in plaintext. The attacker's sniffer captures the cookie in a single request. The attacker then replays this session cookie directly against the Ollama REST API to retrieve the developer's full conversation history, inject adversarial prompts into ongoing sessions, exfiltrate proprietary source code submitted for analysis, or pivot to any other resources the session authorizes—all appearing to the provider as the legitimate developer.