OpenAI Codex CLI Command Injection Vulnerability
OpenAI addressed a critical command-injection vulnerability in its Codex CLI tool that allowed attackers to execute arbitrary commands on developer machines by hiding malicious configuration files within code repositories. The flaw, disclosed by Check Point and patched in Codex CLI version 0.23.0, exploited the way the tool automatically loaded and executed MCP server entries from project-local configuration files. If a repository contained a file that redirected the configuration directory and included a malicious MCP server command, Codex CLI would execute those commands as soon as a developer ran the Codex command, potentially compromising the system.
This vulnerability turned routine developer workflows into attack vectors, as simply running Codex CLI in a tampered repository could result in the execution of hidden commands without the user's knowledge. OpenAI released a fix for the issue after being notified by Check Point, mitigating the risk of attackers hijacking developer machines through this vector. Security teams are advised to ensure all Codex CLI installations are updated to the latest version and to review repository sources before running AI-powered development tools.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
OpenAI patches Codex CLI in version 0.23.0
OpenAI fixed the vulnerability in Codex CLI version 0.23.0 after disclosure by Check Point. The patch blocked project-local redirection of CODEX_HOME and addressed unvalidated execution of local MCP server entries.
Researchers detail repository-based exploitation path
Technical analysis showed attackers with repository write access or pull request capability could abuse .env files and project-local MCP server entries to redirect CODEX_HOME, load rogue configuration, and execute hidden commands during normal developer workflows. The issue created supply chain risk for downstream users and CI/CD environments.
Check Point discovers RCE flaw in OpenAI Codex CLI
Check Point researchers identified a critical command-injection/remote code execution vulnerability in OpenAI's Codex CLI, tracked as CVE-2025-61260. The flaw allowed malicious repository files and configuration redirection to trigger arbitrary command execution on developer machines.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Codex Bug Let Repo Files Execute Hidden Commands
govinfosecurity.com
Open sourceCodex Bug Let Repo Files Execute Hidden Commands
bankinfosecurity.com
Open sourceRCE flaw in OpenAI’s Codex CLI highlights new risks to dev environments
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenAI patched ChatGPT DNS exfiltration flaw and Codex command injection bug
OpenAI patched a ChatGPT vulnerability that allowed sensitive conversation data and uploaded files to be exfiltrated through a covert DNS-based outbound channel in the platform's code-execution runtime. Check Point Research said a malicious prompt or backdoored custom GPT could abuse the isolated Python/Linux environment to leak user content without approval dialogs or visible warnings, and the same path could support bidirectional communication for remote shell access and command execution. OpenAI said it had already identified the underlying issue internally and fully deployed a fix on **February 20, 2026**; reports said there is no evidence of malicious exploitation. A separate OpenAI flaw in **Codex** also drew scrutiny after BeyondTrust Phantom Labs disclosed a critical command injection issue tied to GitHub branch names. The bug could let attackers inject commands, steal GitHub tokens, and potentially move laterally across shared repositories before OpenAI patched it on **February 5, 2026**. The disclosures underscore how AI assistants and coding agents can introduce new enterprise attack paths when outbound communications, runtime isolation, and input validation are not tightly controlled.
Jun 29, 2026
OpenCode AI Coding Agent RCE via Unauthenticated Local Server and Web UI XSS
Security researchers disclosed two high-severity vulnerabilities in the open-source **OpenCode** AI coding agent that can allow **arbitrary command execution on a developer workstation** in drive-by scenarios. **CVE-2026-22812** stems from OpenCode automatically starting an **unauthenticated HTTP server** with **permissive CORS** (`Access-Control-Allow-Origin: *`), enabling any local process—or a malicious website via cross-origin requests—to invoke sensitive local API endpoints and execute shell commands with the user’s privileges. Separately, **CVE-2026-22813** is a **critical** issue in the OpenCode web UI where the markdown renderer can inject arbitrary HTML into the DOM without sanitization (no *DOMPurify* and no CSP), enabling JavaScript execution on the `http://localhost:4096` origin and subsequent access to local APIs that can spawn processes. Mitigations are available for both OpenCode issues: **CVE-2026-22812** is fixed in **OpenCode 1.0.216**, and **CVE-2026-22813** is fixed in **OpenCode 1.1.10**. Other items in the set describe unrelated vulnerabilities in different products (e.g., a command-injection flaw in an end-of-life VS Code extension, unsafe deserialization in *LlamaIndex*, ReDoS in *LangChain*, and various web app SQLi/XSS/access-control issues) and do not materially change the OpenCode risk picture; they should be tracked separately by affected-asset ownership and exposure.
Jun 29, 2026
Critical Command Injection Vulnerability in Cybersecurity AI (CAI) Framework
A critical command injection vulnerability, tracked as CVE-2025-67511, has been identified in the open-source Cybersecurity AI (CAI) framework, which is used for building and deploying AI-powered offensive and defensive automation. The flaw exists in the `run_ssh_command_with_credentials()` function, where only the password and command inputs are properly escaped, leaving the username, host, and port parameters vulnerable to injection. This allows attackers to craft malicious inputs that can execute arbitrary shell commands via AI agents, potentially compromising affected systems remotely. The vulnerability affects all CAI versions up to and including 0.5.9, and no official fix or patch is available as of the latest reports. The issue is classified as critical, with a CVSS v3.1 base score of 9.6 or higher, reflecting the high risk to confidentiality, integrity, and availability. Exploitation requires user interaction, likely through the AI agent's command execution interface, but does not require authentication or elevated privileges. Security advisories recommend that organizations using CAI implement compensating controls and monitor for suspicious activity, as the vulnerability is remotely exploitable and no mitigation has been released. The lack of a patch increases the urgency for defensive measures to prevent potential exploitation in production environments.
Jun 29, 2026