Description
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.
Published: 2026-04-14
Score: n/a
EPSS: n/a
KEV: No
Impact: Arbitrary code execution via CLI configuration
Action: Patch urgently
AI Analysis

Impact

The vulnerability arises when the OpenAI Codex CLI automatically loads project‑local configuration files without user confirmation. Malicious content placed in .env or .codex/config.toml can be executed immediately, giving an attacker the ability to run arbitrary commands on the host where the CLI is invoked. This flaw represents a command‑injection style weakness that directly compromises confidentiality, integrity, and availability of the local system.

Affected Systems

The affected product is the OpenAI Codex Command Line Interface version 0.23.0 and any earlier release. The issue is triggered in any repository that contains a .env file or a .codex/config.toml file designed by an attacker. The CLI processes these files automatically whenever a codex command is executed within that repository, regardless of the repository’s provenance.

Risk and Exploitability

The CVSS score is not provided, and the EPSS metric is unavailable; the vulnerability is not listed in the CISA KEV catalog. However, the attack requires only that the user runs a codex command in a repository that can be influenced by an attacker, which is a realistic scenario in collaborative or publicly hosted projects. Because the vulnerability allows local execution of arbitrary code, the risk can be considered high, especially in environments where the CLI is used frequently or where repository content is not strictly trusted.

Generated by OpenCVE AI on April 14, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available OpenAI Codex CLI update that resolves this issue.
  • Avoid running codex commands in untrusted or potentially compromised repositories.
  • Manually inspect and remove or sanitize any .env or .codex/config.toml files before invoking the CLI.

Generated by OpenCVE AI on April 14, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title OpenAI Codex CLI Arbitrary Command Execution via Malicious Configuration Files
Weaknesses CWE-78
CWE-94

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Openai
Openai codex
Vendors & Products Openai
Openai codex

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.
References

Subscriptions

Openai Codex
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:14:32.518Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61260

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:24.487

Modified: 2026-04-14T15:16:24.487

Link: CVE-2025-61260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:58Z

Weaknesses