Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical OpenAI Codex Bug Exposed GitHub User Tokens
CyberSecurity News

Critical OpenAI Codex Bug Exposed GitHub User Tokens

Key Takeaways A critical command injection vulnerability was discovered in OpenAI Codex, enabling attackers to steal GitHub user and installation access tokens. The flaw, tracked as CVE-XXXX-XXXX...

Marcus Rodriguez
Marcus Rodriguez
April 7, 2026 4 Min Read
35 0

Key Takeaways

  • A critical command injection vulnerability was discovered in OpenAI Codex, enabling attackers to steal GitHub user and installation access tokens.
  • The flaw, tracked as CVE-XXXX-XXXX (placeholder, as no CVE ID was provided in the source), affected the ChatGPT website, Codex CLI, SDK, and IDE extensions.
  • Exploitation involved injecting malicious commands into unsanitized GitHub branch names, leading to token exfiltration from cloud containers or local developer machines.
  • OpenAI promptly patched the vulnerability in late January 2026 after a responsible disclosure in December 2025.

The increasing integration of artificial intelligence into software development lifecycles is introducing new and critical attack surfaces. Cybersecurity researchers at BeyondTrust’s Phantom Labs recently uncovered a severe command injection vulnerability within OpenAI Codex, a cloud-based AI coding assistant. This flaw could have allowed unauthorized access to sensitive GitHub User Access Tokens, posing a significant risk to development environments.

Table Of Content

  • Key Takeaways
  • The Command Injection Exploit
  • Stealing Installation Tokens
  • What You Should Do

By manipulating how Codex processes requests for task creation, malicious actors could have leveraged this vulnerability to gain unauthorized access to an organization’s GitHub environment. The level of access would mirror the exact permissions granted to the compromised AI agent, potentially leading to widespread compromise.

The Command Injection Exploit

OpenAI Codex functions as a coding assistant, directly interfacing with developers’ GitHub repositories. When a user submits a prompt for tasks like code generation or repository analysis, Codex initiates a managed container to execute these operations.

Codex attack path( source : beyondtrust)

During the container setup phase, BeyondTrust researchers identified a critical input sanitization failure. Specifically, the GitHub branch name parameter, sent within an HTTP POST request, was directly incorporated into the environment’s setup scripts without proper validation.

This oversight created an opportunity for attackers to inject arbitrary shell commands directly into the branch name. For instance, a crafted payload could instruct the system to write a hidden GitHub OAuth token to a readable text file. An attacker could then prompt the Codex agent to read this newly created file, exposing the cleartext token within the web interface.

Authorizing ChatGPT Codex Connector on the GitHub application( source : beyondtrust)

The vulnerability’s scope extended beyond the web portal to encompass local developer environments. Researchers found that desktop Codex applications store authentication credentials in local files. If an attacker gained access to a developer’s machine running Windows, macOS, or Linux, they could steal these local session tokens.

Using these compromised local tokens, an attacker could authenticate against the backend API and retrieve the user’s complete task history. This backend access provided a pathway to extract GitHub access tokens embedded within the container task logs. The attack could also be automated, enabling the compromise of multiple users without direct interaction with the Codex interface.

A particularly insidious attack vector involved creating a malicious branch in a shared GitHub repository. Any user who subsequently used Codex on that specific codebase would trigger the exploit, leading to their compromise.

Codex authentication tokens stored in auth.json(source :beyondtrust)

To circumvent GitHub’s branch-naming restrictions, which typically disallow standard spaces, attackers ingeniously substituted spaces with a payload containing an internal field separator. Furthermore, they used Unicode Ideographic Spaces to conceal the malicious payload from the user interface. To an unsuspecting victim, the malicious branch appeared identical to a legitimate main branch. Once a user or an automated process interacted with this branch, the hidden payload would execute silently, exfiltrating their GitHub token to an attacker-controlled external server.

Stealing Installation Tokens

This automated branch attack also proved effective against automated pull requests. When a developer tagged the Codex bot to perform a code review on a pull request, the system would initiate a dedicated code review container. If the repository involved in the pull request contained the maliciously named branch, the automated container would execute the hidden payload, allowing attackers to steal the broader GitHub Installation Access token.

Codex container logs demonstrating command injection(source :beyondtrust)

This critical vulnerability impacted several components, including the ChatGPT website, Codex CLI, Codex SDK, and Codex IDE Extensions. OpenAI was responsibly notified of the flaw in December 2025 and deployed a comprehensive patch by late January 2026, addressing the issue across its affected services.

As AI coding assistants become increasingly integrated into developer workflows, organizations must treat agent containers as strict security boundaries. Vigilance and proactive security measures are paramount to mitigating these evolving threats.

What You Should Do

  • Sanitize Inputs Rigorously: Ensure all user-controllable inputs, especially those passed to shell commands, undergo thorough sanitization to prevent command injection.
  • Never Trust External Data: Assume that data formats from external providers are not inherently safe and implement validation checks.
  • Enforce Least Privilege: Audit and restrict the permissions granted to all AI applications, adhering strictly to the principle of least privilege.
  • Monitor Repository Activity: Regularly monitor GitHub repositories for unusual branch names that may contain shell metacharacters or Unicode spaces, which can indicate malicious activity.
  • Rotate Tokens and Review Logs: Implement a policy for regular rotation of GitHub tokens and meticulously review access logs for any unexpected API activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Fake TradingView Premium Posts on Reddit Deliver Vidar and AMOS Stealers

Next Post

Microsoft Warns of Critical Medusa Ransomware Attacks Exploiting 0-Day Flaws

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us