OpenAI Codex Desktop App for macOS Vulnerability Allows Attackers to Inject Indirect Prompt

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly disclosed vulnerability in the OpenAI Codex desktop application for macOS could allow attackers to exploit indirect prompt injection techniques to exfiltrate sensitive data, according to a recent entry in the GitHub Advisory Database.

Tracked as CVE-2026-14898, the issue arises from how the Codex app handles Markdown content in model-generated responses.

Specifically, the application automatically renders remote images embedded in Markdown without requiring explicit user interaction.

This behavior creates an unexpected data-exposure pathway when combined with prompt-injection attacks. The vulnerability allows a threat actor to craft malicious input that influences the model’s output.

If Codex processes untrusted content, attackers can use indirect prompts to generate remote image URLs that embed sensitive data in their parameters.

OpenAI Codex MacOS App Vulnerability

When the Codex desktop app renders the response, it automatically fetches the remote image from the attacker-controlled server.

During this process, any embedded sensitive data is transmitted as part of the request, effectively leaking confidential information without the user’s knowledge or consent.

This type of attack is particularly concerning because it does not require direct user interaction beyond normal usage.

The user does not need to click on a link or approve a request, as the image retrieval happens silently in the background. As a result, the vulnerability introduces a stealthy data exfiltration channel.

According to the GitHub Advisory, the exposed data could include API keys, proprietary source code, or information retrieved via connected tools within the Codex session.

Since Codex is often used in development environments with access to sensitive repositories and credentials, the potential impact could be significant in real-world scenarios.

The vulnerability has been categorized under CWE–200, which refers to the exposure of sensitive information to an unauthorized actor.

While no official CVSS score has been assigned yet, the nature of the flaw suggests a meaningful confidentiality risk, especially in environments where Codex is integrated with privileged systems or development workflows.

At the time of disclosure, no patched versions have been identified, and the list of affected versions remains unspecified.

Additionally, there is currently no evidence of active exploitation in the wild. However, the lack of available fixes and the increasing focus on prompt injection attacks in AI systems make this vulnerability noteworthy for security teams.

This issue highlights a broader challenge in securing AI-powered applications. Unlike traditional software vulnerabilities, prompt injection exploits the interaction between user input, model behavior, and application logic.

In this case, the combination of automatic content rendering and model-generated outputs creates an unintended attack surface.

For example, a developer using Codex to analyze logs or pull data from an external tool could unknowingly process attacker-controlled input.

If that input contains a hidden prompt injection, the model may generate a response that includes a malicious image URL carrying sensitive session data, which is then automatically transmitted.

Security experts recommend limiting the processing of untrusted content, reviewing how AI-generated outputs are rendered, and implementing safeguards such as turning off automatic remote resource fetching.

Monitoring outbound network requests and isolating sensitive data access can also reduce the risk of exploitation.

As AI-assisted development tools continue to gain adoption, vulnerabilities like CVE-2026-14898 underscore the need for secure design practices that account for both traditional and AI-specific attack vectors.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.