Critical OpenAI Codex Bug Exposed GitHub User Tokens
Key Takeaways A critical command injection vulnerability was discovered in OpenAI Codex, enabling attackers to steal GitHub user and installation access tokens. The flaw, tracked as CVE-XXXX-XXXX...
Key Takeaways
- A critical command injection vulnerability was discovered in OpenAI Codex, enabling attackers to steal GitHub user and installation access tokens.
- The flaw, tracked as CVE-XXXX-XXXX (placeholder, as no CVE ID was provided in the source), affected the ChatGPT website, Codex CLI, SDK, and IDE extensions.
- Exploitation involved injecting malicious commands into unsanitized GitHub branch names, leading to token exfiltration from cloud containers or local developer machines.
- OpenAI promptly patched the vulnerability in late January 2026 after a responsible disclosure in December 2025.
The increasing integration of artificial intelligence into software development lifecycles is introducing new and critical attack surfaces. Cybersecurity researchers at BeyondTrust’s Phantom Labs recently uncovered a severe command injection vulnerability within OpenAI Codex, a cloud-based AI coding assistant. This flaw could have allowed unauthorized access to sensitive GitHub User Access Tokens, posing a significant risk to development environments.
Table Of Content
By manipulating how Codex processes requests for task creation, malicious actors could have leveraged this vulnerability to gain unauthorized access to an organization’s GitHub environment. The level of access would mirror the exact permissions granted to the compromised AI agent, potentially leading to widespread compromise.
The Command Injection Exploit
OpenAI Codex functions as a coding assistant, directly interfacing with developers’ GitHub repositories. When a user submits a prompt for tasks like code generation or repository analysis, Codex initiates a managed container to execute these operations.

During the container setup phase, BeyondTrust researchers identified a critical input sanitization failure. Specifically, the GitHub branch name parameter, sent within an HTTP POST request, was directly incorporated into the environment’s setup scripts without proper validation.
This oversight created an opportunity for attackers to inject arbitrary shell commands directly into the branch name. For instance, a crafted payload could instruct the system to write a hidden GitHub OAuth token to a readable text file. An attacker could then prompt the Codex agent to read this newly created file, exposing the cleartext token within the web interface.

The vulnerability’s scope extended beyond the web portal to encompass local developer environments. Researchers found that desktop Codex applications store authentication credentials in local files. If an attacker gained access to a developer’s machine running Windows, macOS, or Linux, they could steal these local session tokens.
Using these compromised local tokens, an attacker could authenticate against the backend API and retrieve the user’s complete task history. This backend access provided a pathway to extract GitHub access tokens embedded within the container task logs. The attack could also be automated, enabling the compromise of multiple users without direct interaction with the Codex interface.
A particularly insidious attack vector involved creating a malicious branch in a shared GitHub repository. Any user who subsequently used Codex on that specific codebase would trigger the exploit, leading to their compromise.

To circumvent GitHub’s branch-naming restrictions, which typically disallow standard spaces, attackers ingeniously substituted spaces with a payload containing an internal field separator. Furthermore, they used Unicode Ideographic Spaces to conceal the malicious payload from the user interface. To an unsuspecting victim, the malicious branch appeared identical to a legitimate main branch. Once a user or an automated process interacted with this branch, the hidden payload would execute silently, exfiltrating their GitHub token to an attacker-controlled external server.
Stealing Installation Tokens
This automated branch attack also proved effective against automated pull requests. When a developer tagged the Codex bot to perform a code review on a pull request, the system would initiate a dedicated code review container. If the repository involved in the pull request contained the maliciously named branch, the automated container would execute the hidden payload, allowing attackers to steal the broader GitHub Installation Access token.

This critical vulnerability impacted several components, including the ChatGPT website, Codex CLI, Codex SDK, and Codex IDE Extensions. OpenAI was responsibly notified of the flaw in December 2025 and deployed a comprehensive patch by late January 2026, addressing the issue across its affected services.
As AI coding assistants become increasingly integrated into developer workflows, organizations must treat agent containers as strict security boundaries. Vigilance and proactive security measures are paramount to mitigating these evolving threats.
What You Should Do
- Sanitize Inputs Rigorously: Ensure all user-controllable inputs, especially those passed to shell commands, undergo thorough sanitization to prevent command injection.
- Never Trust External Data: Assume that data formats from external providers are not inherently safe and implement validation checks.
- Enforce Least Privilege: Audit and restrict the permissions granted to all AI applications, adhering strictly to the principle of least privilege.
- Monitor Repository Activity: Regularly monitor GitHub repositories for unusual branch names that may contain shell metacharacters or Unicode spaces, which can indicate malicious activity.
- Rotate Tokens and Review Logs: Implement a policy for regular rotation of GitHub tokens and meticulously review access logs for any unexpected API activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.