A critical vulnerability in OpenAI Group PBC’s Codex coding agent could have exposed sensitive GitHub authentication tokens through a command injection flaw, according to a new report out today from Phantom Labs, the research arm of identity and access security company BeyondTrust Corp.

Codex is a coding assistant offered as part of ChatGPT that allows developers to interact directly with code repositories by issuing prompts that trigger automated tasks such as code generation, reviews and pull requests. The tasks run inside managed container environments that clone repositories and authenticate using short-lived GitHub OAuth tokens, creating a useful but sensitive execution layer.

The vulnerability occurred as a result of the way Codex processes branch names during task creation. It allowed for manipulation of the branch parameter to inject arbitrary shell commands during environment setup that could be used to execute code within the container. Testing the vulnerability, the researchers could extract the GitHub OAuth token used for repository access and expose it through task outputs or external network requests.

With access to the GitHub OAuth token, an attacker could potentially move laterally within GitHub, particularly in enterprise environments where Codex is granted broad permissions across repositories and workflows.

The researchers also demonstrated that the flaw extended beyond the web interface to Codex’s command-line interface, software development kit and integrated development environment integrations. Those are where locally stored authentication credentials could be used to reproduce the attack via backend application programming interfaces.

If exploited, the vulnerability also could have been scaled. The researchers found that by embedding malicious payloads directly into GitHub branch names, an attacker with repository access could compromise multiple users interacting with the same project.

The good news is that OpenAI has since addressed the vulnerability through coordinated fixes, including improved input validation, stronger shell escaping protections and tighter controls around token exposure within container environments. The AI giant also put in place additional measures to limit token scope and lifetime during task execution.

“AI coding agents are not just productivity tools. They are live execution environments with access to sensitive credentials and organizational resources,” the report concludes. “When user-controllable input is passed unsanitized into shell commands, the result is command injection with real consequences: token theft, organizational compromise and automated exploitation at scale.”

The report added that “as AI agents become more deeply integrated into developer workflows, the security of the containers they run in — and the input they consume — must be treated with the same rigor as any other application security boundary. The attack surface is expanding and the security of these environments needs to keep pace.”

Image: SiliconANGLE/Ideogram