OpenAI Codex macOS Vulnerability Could Leak Data Through Indirect Prompt Injection


A vulnerability in the OpenAI Codex desktop app for macOS could allow attackers to leak sensitive data by abusing indirect prompt injection and automatic Markdown image rendering.

The flaw is tracked as CVE-2026-14898. According to the GitHub Advisory Database, Codex rendered remote images from Markdown in model responses. That behavior could allow attacker-controlled content to make the model generate an image URL containing sensitive data.

When the app fetched that remote image, the data embedded in the URL could be sent to an attacker-controlled server without a separate click from the user. The NVD record says successful exploitation could expose secrets and other information available inside the Codex session, including API keys, source code, and data returned by connected tools.

What makes CVE-2026-14898 risky?

The issue sits at the intersection of AI behavior and app rendering. A normal Markdown feature, remote image loading, becomes dangerous when the model can be influenced by untrusted text from files, connected tools, logs, webpages, or other external sources.

The attacker does not need to directly control the user’s prompt. Instead, the attacker places hidden or hostile instructions in content that Codex later processes. That is why the issue is described as an indirect prompt injection problem.

OpenAI Codex is designed as an AI coding agent for engineering work, and that makes the data exposure path important. Coding tools often operate around repositories, credentials, build logs, configuration files, and internal documentation.

ItemDetails
CVECVE-2026-14898
ProductOpenAI Codex desktop app for macOS
WeaknessExposure of sensitive information
Main attack pathIndirect prompt injection plus automatic remote image fetching
Potentially exposed dataAPI keys, source code, session-accessible secrets, and connected-tool output
Known exploitationNo known exploitation in the wild at the time of disclosure

How the data leak could happen

The attack begins when Codex processes untrusted content that contains a malicious instruction. That instruction can be hidden in a file, tool result, webpage, log entry, or other content a developer asks Codex to analyze.

If the model follows the injected instruction, it may generate a Markdown image reference that points to a remote server controlled by the attacker. The URL could include sensitive information as a query parameter or path value.

The GitHub advisory says the app automatically fetched that URL while rendering the response. That automatic request is the exfiltration step, because the attacker’s server receives the embedded data.

  1. An attacker places indirect prompt injection text in content Codex may process.
  2. A user asks Codex to review or summarize that untrusted content.
  3. The model is induced to create a Markdown image URL containing sensitive data.
  4. The Codex desktop app renders the response and loads the remote image.
  5. The attacker-controlled server receives the data inside the request.

Severity and affected versions

The issue has been categorized as a confidentiality problem. The advisory maps it to CWE-200, which covers exposure of sensitive information to an actor who should not have access to it.

GitHub lists the vulnerability as Medium severity with a CVSS 3.1 score of 6.5. The score reflects network attack vector, low attack complexity, no privileges required, required user interaction, high confidentiality impact, and no demonstrated integrity or availability impact.

The CVE-2026-14898 Detail page says NVD has not yet provided its own assessment, but CISA-ADP added a CVSS 3.1 vector and marked exploitation as none in its SSVC data. NVD’s change history also lists Codex desktop app for macOS versions before 26.527.31326 as affected.

Severity fieldReported value
GitHub severityModerate
CVSS 3.1 score6.5
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactHigh
Integrity impactNone demonstrated
Availability impactNone demonstrated

Why developers should pay attention

The risk depends on what Codex can access during a session. A developer using the app only on low-risk sample code faces less exposure than a developer using it inside a production repository or a privileged workspace.

The concern grows when Codex can see secrets, private source code, CI logs, internal API responses, customer data, or connected-tool output. In those cases, the model’s response can become a bridge between sensitive local context and an external network request.

The Codex app is built for real engineering workflows, including multi-agent work and connected development environments. That same level of access means security teams need clear rules around untrusted input, secret handling, and outbound requests from AI coding tools.

Prompt injection is now an application security issue

This vulnerability shows why prompt injection can no longer be treated as only a model behavior problem. The vulnerable chain depends on model output, Markdown rendering, network fetching, and session access to sensitive context.

OWASP LLM01:2025 describes prompt injection as a risk where inputs can alter an LLM’s behavior or output in unintended ways. Indirect prompt injection is especially relevant here because the attacker’s instruction can arrive through external content rather than the user’s direct prompt.

The MITRE CWE entry also helps explain the impact. The underlying weakness is not code execution. It is the exposure of information to an unauthorized actor through a path the user may not notice.

How teams can reduce exposure

Security teams should first verify which Codex desktop app version is installed on managed Macs and compare it with the affected-version information in vulnerability tracking systems.

Developers should avoid processing untrusted files, logs, webpages, or external tool outputs in sessions that contain secrets or privileged project context. This is especially important when the AI tool can read private repositories or connected-tool results.

OWASP prompt injection guidance recommends treating external content as untrusted and limiting what the model can access or trigger. For this specific flaw, teams should also watch for unexpected outbound image requests from the Codex app.

  • Update the Codex desktop app for macOS when a fixed or newer version is available.
  • Limit secrets in AI coding sessions, especially API keys and tokens.
  • Avoid feeding untrusted content into privileged Codex workspaces.
  • Monitor outbound requests from developer machines to unfamiliar domains.
  • Block automatic loading of remote resources where controls allow it.
  • Separate sensitive repositories from experimental AI-assisted analysis.

What users should do now

Users should check for Codex desktop app updates and follow their organization’s security guidance for AI coding tools. Teams that manage developer Macs should confirm the installed version, review outbound network telemetry, and decide whether extra controls are needed around remote resource loading.

There is no public evidence of active exploitation in the wild at the time of disclosure. Still, the vulnerability matters because it gives attackers a practical way to turn a model response into a data-exfiltration channel.

The broader lesson is clear: AI development tools need security controls around both what they read and what they render. Prompt injection becomes more serious when the application automatically turns model output into network activity.

FAQ

What is CVE-2026-14898?

CVE-2026-14898 is a vulnerability in the OpenAI Codex desktop app for macOS. It involves automatic rendering of remote images from Markdown in model responses, which could let an attacker exfiltrate sensitive data through indirect prompt injection.

How could the Codex vulnerability leak data?

An attacker could place malicious instructions in untrusted content processed by Codex. If the model generated a Markdown image URL containing sensitive data, the app could automatically fetch that remote image and send the embedded data to the attacker’s server.

What data could be exposed through this flaw?

Potentially exposed data could include API keys, source code, secrets available in the Codex session, and information returned by connected tools. The impact depends on what the app can access during the session.

Has CVE-2026-14898 been exploited in the wild?

Public vulnerability records say there is no known exploitation in the wild at the time of disclosure. Security teams should still review affected installations because the flaw involves sensitive data exposure.

How can developers reduce the risk?

Developers should update Codex when a fixed or newer version is available, avoid processing untrusted content in sessions with secrets, limit connected-tool access, and monitor unexpected outbound requests from developer machines.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages