Researchers at BeyondTrust Phantom Labs have discovered a serious command injection vulnerability in OpenAI’s Codex cloud environment, which exposed GitHub OAuth tokens directly from the agent’s execution environment.

[For more news, click here]

The flaw originated from insufficient input sanitization in how Codex processed GitHub branch names during task execution. By injecting arbitrary commands via the branch name parameter, an attacker could execute malicious payloads inside the agent’s container and extract sensitive authentication tokens.

Because Codex has access to connected GitHub repositories, the implications extend beyond a single user. In controlled testing, Phantom Labs demonstrated that the technique could be automated to compromise multiple users interacting with a shared repository. The vulnerability affected several Codex interfaces, including the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE Extension.

The potential consequences of the vulnerability were significant. GitHub user access tokens tied to repositories, workflows, and private code were exposed, creating a risk of token theft. In addition, attackers could potentially move laterally across organizations using shared environments, magnifying the scope of compromise. Automation further increased the risk, allowing token exfiltration at scale across multiple users.

Phantom Labs researchers also noted that authentication tokens stored locally on developers’ machines could be leveraged to replicate the attack through backend APIs, further expanding the potential blast radius. To increase stealth and reliability, they developed obfuscated payload techniques using Unicode characters, enabling malicious commands to run without being visibly detectable in the user interface.

“This research highlights a broader and growing concern: AI coding agents like Codex are not just development tools, but privileged identities operating inside live execution environments with direct access to source code, credentials, and infrastructure. This highlights a growing class of risk where automated workflows can operate outside the visibility or control of traditional security models,” commented Fletcher Davis, Director of Research for BeyondTrust Phantom Labs.

When user-controlled input is passed into these environments without strict validation, the result is not just a bug — it is a scalable attack path into enterprise systems.

Phantom Labs worked closely with OpenAI to responsibly disclose the vulnerability, and all reported issues have since been remediated in coordination with OpenAI’s security team.