CodexBar versions prior to 0.32.0 employ predictable temporary file paths in the release notarization workflow. This design flaw allows a local attacker who shares the same host as the notarization process to read the App Store Connect API key that the tool writes to a fixed location, to pre‑create files or symbolic links at known paths to redirect the key write operation to an attacker‑controlled file, or to tamper with the notarization archive before it is uploaded. The consequence is the theft of a sensitive credential and the ability to modify build artifacts, which could lead to the deployment of malicious binaries or the compromise of the App Store submission chain.

The vulnerability applies to the open‑source tool CodexBar developed by steipete. Any installation running a version older than 0.32.0 is susceptible. The affected product includes the notarization workflow component responsible for packaging macOS applications for App Store submission.

The CVSS score of 7.2 indicates a high potential impact when locally exploited. Because the attack requires local access to the same host, the exploitation vector is local, making it more relevant to operators who control the build environment. EPSS data is unavailable, so the current probability of exploitation cannot be quantified, but the absence of a KEV listing suggests no publicly known, widespread exploitation so far. Nonetheless, the combination of credential exposure and the ability to tamper with notarization artifacts represents a significant risk for developers and release engineers. Organizations should treat this as a high‑priority issue if their build infrastructure is shared or not adequately isolated.