OpenAI Codex macOS Vulnerability Could Leak Data Through Indirect Prompt Injection
A vulnerability in the OpenAI Codex desktop app for macOS could allow attackers to leak sensitive data by abusing indirect prompt injection and automatic Markdown image rendering.
The flaw is tracked as CVE-2026-14898. According to the GitHub Advisory Database, Codex rendered remote images from Markdown in model responses. That behavior could allow attacker-controlled content to make the model generate an image URL containing sensitive data.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
When the app fetched that remote image, the data embedded in the URL could be sent to an attacker-controlled server without a separate click from the user. The NVD record says successful exploitation could expose secrets and other information available inside the Codex session, including API keys, source code, and data returned by connected tools.
What makes CVE-2026-14898 risky?
The issue sits at the intersection of AI behavior and app rendering. A normal Markdown feature, remote image loading, becomes dangerous when the model can be influenced by untrusted text from files, connected tools, logs, webpages, or other external sources.
The attacker does not need to directly control the user’s prompt. Instead, the attacker places hidden or hostile instructions in content that Codex later processes. That is why the issue is described as an indirect prompt injection problem.
OpenAI Codex is designed as an AI coding agent for engineering work, and that makes the data exposure path important. Coding tools often operate around repositories, credentials, build logs, configuration files, and internal documentation.
| Item | Details |
|---|---|
| CVE | CVE-2026-14898 |
| Product | OpenAI Codex desktop app for macOS |
| Weakness | Exposure of sensitive information |
| Main attack path | Indirect prompt injection plus automatic remote image fetching |
| Potentially exposed data | API keys, source code, session-accessible secrets, and connected-tool output |
| Known exploitation | No known exploitation in the wild at the time of disclosure |
How the data leak could happen
The attack begins when Codex processes untrusted content that contains a malicious instruction. That instruction can be hidden in a file, tool result, webpage, log entry, or other content a developer asks Codex to analyze.
If the model follows the injected instruction, it may generate a Markdown image reference that points to a remote server controlled by the attacker. The URL could include sensitive information as a query parameter or path value.
The GitHub advisory says the app automatically fetched that URL while rendering the response. That automatic request is the exfiltration step, because the attacker’s server receives the embedded data.
- An attacker places indirect prompt injection text in content Codex may process.
- A user asks Codex to review or summarize that untrusted content.
- The model is induced to create a Markdown image URL containing sensitive data.
- The Codex desktop app renders the response and loads the remote image.
- The attacker-controlled server receives the data inside the request.
Severity and affected versions
The issue has been categorized as a confidentiality problem. The advisory maps it to CWE-200, which covers exposure of sensitive information to an actor who should not have access to it.
GitHub lists the vulnerability as Medium severity with a CVSS 3.1 score of 6.5. The score reflects network attack vector, low attack complexity, no privileges required, required user interaction, high confidentiality impact, and no demonstrated integrity or availability impact.
The CVE-2026-14898 Detail page says NVD has not yet provided its own assessment, but CISA-ADP added a CVSS 3.1 vector and marked exploitation as none in its SSVC data. NVD’s change history also lists Codex desktop app for macOS versions before 26.527.31326 as affected.
| Severity field | Reported value |
|---|---|
| GitHub severity | Moderate |
| CVSS 3.1 score | 6.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Confidentiality impact | High |
| Integrity impact | None demonstrated |
| Availability impact | None demonstrated |
Why developers should pay attention
The risk depends on what Codex can access during a session. A developer using the app only on low-risk sample code faces less exposure than a developer using it inside a production repository or a privileged workspace.
The concern grows when Codex can see secrets, private source code, CI logs, internal API responses, customer data, or connected-tool output. In those cases, the model’s response can become a bridge between sensitive local context and an external network request.
The Codex app is built for real engineering workflows, including multi-agent work and connected development environments. That same level of access means security teams need clear rules around untrusted input, secret handling, and outbound requests from AI coding tools.
Prompt injection is now an application security issue
This vulnerability shows why prompt injection can no longer be treated as only a model behavior problem. The vulnerable chain depends on model output, Markdown rendering, network fetching, and session access to sensitive context.
OWASP LLM01:2025 describes prompt injection as a risk where inputs can alter an LLM’s behavior or output in unintended ways. Indirect prompt injection is especially relevant here because the attacker’s instruction can arrive through external content rather than the user’s direct prompt.
The MITRE CWE entry also helps explain the impact. The underlying weakness is not code execution. It is the exposure of information to an unauthorized actor through a path the user may not notice.
How teams can reduce exposure
Security teams should first verify which Codex desktop app version is installed on managed Macs and compare it with the affected-version information in vulnerability tracking systems.
Developers should avoid processing untrusted files, logs, webpages, or external tool outputs in sessions that contain secrets or privileged project context. This is especially important when the AI tool can read private repositories or connected-tool results.
OWASP prompt injection guidance recommends treating external content as untrusted and limiting what the model can access or trigger. For this specific flaw, teams should also watch for unexpected outbound image requests from the Codex app.
- Update the Codex desktop app for macOS when a fixed or newer version is available.
- Limit secrets in AI coding sessions, especially API keys and tokens.
- Avoid feeding untrusted content into privileged Codex workspaces.
- Monitor outbound requests from developer machines to unfamiliar domains.
- Block automatic loading of remote resources where controls allow it.
- Separate sensitive repositories from experimental AI-assisted analysis.
What users should do now
Users should check for Codex desktop app updates and follow their organization’s security guidance for AI coding tools. Teams that manage developer Macs should confirm the installed version, review outbound network telemetry, and decide whether extra controls are needed around remote resource loading.
There is no public evidence of active exploitation in the wild at the time of disclosure. Still, the vulnerability matters because it gives attackers a practical way to turn a model response into a data-exfiltration channel.
The broader lesson is clear: AI development tools need security controls around both what they read and what they render. Prompt injection becomes more serious when the application automatically turns model output into network activity.
FAQ
CVE-2026-14898 is a vulnerability in the OpenAI Codex desktop app for macOS. It involves automatic rendering of remote images from Markdown in model responses, which could let an attacker exfiltrate sensitive data through indirect prompt injection.
An attacker could place malicious instructions in untrusted content processed by Codex. If the model generated a Markdown image URL containing sensitive data, the app could automatically fetch that remote image and send the embedded data to the attacker’s server.
Potentially exposed data could include API keys, source code, secrets available in the Codex session, and information returned by connected tools. The impact depends on what the app can access during the session.
Public vulnerability records say there is no known exploitation in the wild at the time of disclosure. Security teams should still review affected installations because the flaw involves sensitive data exposure.
Developers should update Codex when a fixed or newer version is available, avoid processing untrusted content in sessions with secrets, limit connected-tool access, and monitor unexpected outbound requests from developer machines.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages