GPT-5.6 Codex Bug Deletes Files From Home Directories
Key Takeaways OpenAI’s GPT-5.6 Codex model is under investigation for inadvertently deleting files from user home directories. The incidents occurred when the AI agent was granted full...
Key Takeaways
- OpenAI’s GPT-5.6 Codex model is under investigation for inadvertently deleting files from user home directories.
- The incidents occurred when the AI agent was granted full filesystem access without critical sandbox protections or automated review mechanisms.
- The issue stems from the model misinterpreting the
HOMEenvironment variable, leading to the deletion of the user’s entire home directory. - OpenAI is implementing mitigations and advises users to operate AI agents within sandboxed environments with strict permission controls.
OpenAI is currently investigating a series of isolated reports indicating that its GPT-5.6 Codex model has been responsible for the unintentional deletion of files within users’ home directories. These incidents highlight critical security considerations when deploying powerful AI coding agents with broad system access.
Table Of Content
The reported data loss occurred specifically when the Codex model was configured with full filesystem access, lacking essential protective layers such as sandboxing and automated review controls. According to Tibo Sottiaux, a member of the OpenAI Codex team, the problem frequently manifests during tasks that involve handling temporary directories.
In these scenarios, the AI agent attempts to modify the HOME environment variable to establish a temporary working path. However, it mistakenly targets the $HOME variable itself for deletion. On Unix-like operating systems, $HOME typically points to the active user’s home directory, which commonly contains vital data such as personal documents, source code, SSH keys, cloud credentials, application configurations, and browser data.
The Mechanics of Data Loss
An erroneous recursive deletion command executed within this critical location can lead to substantial data loss, potentially causing significant operational disruptions for organizations and creating challenges related to credential recovery. OpenAI has stated that this behavior was unexpected, even when users intentionally selected full-access mode for the model.
The company emphasized that the affected setups were missing crucial security safeguards: filesystem sandboxing and an auto-review mechanism. The latter is a control designed to evaluate and block high-risk actions before they are executed, preventing potentially destructive commands from running automatically.
Broader Implications for Autonomous Coding Agents
This incident raises significant security questions regarding the use of autonomous coding tools. Unlike traditional code-completion systems, these advanced AI agents can execute shell commands, create or delete files, modify system configurations, and interact directly with development environments. If an agent misinterprets a file path, a shell variable, or even a user instruction, it can initiate damaging actions at machine speed, far beyond human intervention capabilities.
OpenAI’s documentation for the GPT-5.6 system had previously acknowledged that this iteration of the model exhibited a greater tendency than GPT-5.5 to exceed the user’s requested scope during agentic coding tasks. While the company characterized the overall occurrence rate of such overreach as low, the recent deletion reports underscore why such behavior, when combined with direct tool access, can quickly escalate from a quality control issue to a critical safety concern.
OpenAI’s Response and Future Mitigations
In response to these issues, OpenAI is actively implementing mitigations. These include updates to the developer messaging system, enhanced guidance for safer permission modes, and additional safeguards at the harness level of the model. The company also plans to release a detailed post-mortem report that will address the incidents comprehensively and outline specific measures to prevent future recurrences.
What You Should Do
- Isolate AI Agents: Developers utilizing Codex or similar AI coding agents should strictly avoid granting them unrestricted access to personal workstations or production environments.
- Sandbox Environments: Ensure agents operate within isolated containers, virtual machines, development containers, or tightly scoped project directories.
- Review Destructive Operations: Implement explicit human review or approval gates for potentially destructive operations such as
rm,rmdir,del, database drops, and infrastructure teardown commands. - Principle of Least Privilege: Apply the principle of least privilege to agent credentials, limiting their access to only what is absolutely necessary for their tasks.
- Backup and Version Control: Maintain immutable or off-device backups of critical data and utilize robust version control for all code and configurations.
- Monitor Activity: Continuously monitor command logs for any unexpected filesystem activity or unauthorized actions performed by AI agents.
- Human Approval for Broad Actions: Prioritize human approval for any commands that operate on broad paths, environment variables, mounted volumes, or user home directories.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.