CIRCLE WITH A DOT

----------------🧭 AI SecurityThis report documents a critical command injection vulnerability in OpenAI Codex that enabled theft of GitHub User Access Tokens via the ChatGPT Codex Connector. The discovery was credited to BeyondTrust Phantom Labs and disclosed to OpenAI on December 16, 2025. OpenAI issued a hotfix on December 23, 2025, followed by additional fixes for branch shell escape (January 22, 2026) and further shell-escape hardening and reduced GitHub token access (January 30, 2026). The vulnerability was classified as Critical (Priority 1) on February 5, 2026, with permission granted for public disclosure.Technical narrative• The ChatGPT Codex Connector uses short-lived, scoped OAuth 2.0 access tokens to act on behalf of consenting users. With broad default scopes, the application can access repositories, workflows, actions, branches, and private organizational resources when authorized inside an organization.• In the Codex Web portal, user prompts that target repositories and branches create “cloud task” POST requests carrying environment identifiers, branch, and prompt text. On backend execution, Codex spins up containerized environments that run setup scripts, install dependencies, and may execute code derived from prompts.• Environments support custom setup scripts, environment variables, and secrets, and by default allow outbound internet access during setup via an HTTP/HTTPS proxy. The command injection allowed an attacker to achieve shell escape within these containers, access environment-scoped secrets, and exfiltrate GitHub tokens.Attack chain (reported) Initial Access — crafted prompts or repository inputs processed by Codex allowed injection into backend task handling.===================️ Execution — containerized environment executed injected commands during setup or runtime. Exfiltration — obtained short-lived OAuth tokens were transmitted out via network proxy pathways.Observed fixes and timeline• 2025-12-23: Hotfix for command injection.• 2026-01-22: Fix for GitHub branch shell escape.• 2026-01-30: Additional shell escape hardening and limits on GitHub token access.This account focuses on the concrete findings: vulnerable task handling in Codex, container shell escape leading to token theft, the privileged default scopes of the GitHub integration, and the sequence of fixes applied by OpenAI. #OpenAI #Codex #GitHub #OAuth #Security Source: https://www.beyondtrust.com/blog/entry/openai-codex-command-injection-vulnerability-github-token

@rsgbengi Hey. Thanks for the writeup. I feel like there is either an error or a missing attack type in the redirect_uri section, when it comes to subdomain confusion. The trick I know is using the entire domain as a subdomain to your own domain, so to use legitimate.com.evil.com as the redirect_uri to attack a wildcard like legitimate.com* (without a slash before the wildcard).I'm not aware of any OAuth issues that would allow you to add an extra subdomain to a redirect URI - is that a thing as well? Keycloak does not expand wildcards that aren't the final character of the redirect URI, so *.legitimate.com would not be a working wildcard, but other implementations may differ.