<![CDATA[🧭 AI Security]]>----------------

🧭 AI Security

This report documents a critical command injection vulnerability in OpenAI Codex that enabled theft of GitHub User Access Tokens via the ChatGPT Codex Connector. The discovery was credited to BeyondTrust Phantom Labs and disclosed to OpenAI on December 16, 2025. OpenAI issued a hotfix on December 23, 2025, followed by additional fixes for branch shell escape (January 22, 2026) and further shell-escape hardening and reduced GitHub token access (January 30, 2026). The vulnerability was classified as Critical (Priority 1) on February 5, 2026, with permission granted for public disclosure.

Technical narrative
β€’ The ChatGPT Codex Connector uses short-lived, scoped OAuth 2.0 access tokens to act on behalf of consenting users. With broad default scopes, the application can access repositories, workflows, actions, branches, and private organizational resources when authorized inside an organization.
β€’ In the Codex Web portal, user prompts that target repositories and branches create β€œcloud task” POST requests carrying environment identifiers, branch, and prompt text. On backend execution, Codex spins up containerized environments that run setup scripts, install dependencies, and may execute code derived from prompts.
β€’ Environments support custom setup scripts, environment variables, and secrets, and by default allow outbound internet access during setup via an HTTP/HTTPS proxy. The command injection allowed an attacker to achieve shell escape within these containers, access environment-scoped secrets, and exfiltrate GitHub tokens.

Attack chain (reported)

🎣 Initial Access β€” crafted prompts or repository inputs processed by Codex allowed injection into backend task handling.
===================

βš™οΈ Execution β€” containerized environment executed injected commands during setup or runtime.
πŸ“€ Exfiltration β€” obtained short-lived OAuth tokens were transmitted out via network proxy pathways.

Observed fixes and timeline
β€’ 2025-12-23: Hotfix for command injection.
β€’ 2026-01-22: Fix for GitHub branch shell escape.
β€’ 2026-01-30: Additional shell escape hardening and limits on GitHub token access.

This account focuses on the concrete findings: vulnerable task handling in Codex, container shell escape leading to token theft, the privileged default scopes of the GitHub integration, and the sequence of fixes applied by OpenAI.

πŸ”— Source: https://www.beyondtrust.com/blog/entry/openai-codex-command-injection-vulnerability-github-token

]]>https://board.circlewithadot.net/topic/de664453-9412-4542-8be9-831c98f920c2/ai-securityRSS for NodeMon, 06 Apr 2026 05:20:17 GMTMon, 30 Mar 2026 18:59:07 GMT60