Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise

Summary

Researchers at BeyondTrust discovered a critical vulnerability in OpenAI Codex stemming from improper input sanitization in GitHub branch name processing. Attackers could inject arbitrary commands through branch names to execute malicious payloads, retrieve OAuth tokens, and potentially compromise multiple organizations sharing GitHub repositories. OpenAI patched the vulnerability in late December 2025 after responsible disclosure, but the research highlights expanding attack surfaces as AI agents gain access to sensitive credentials.

Full text

OAuth tokens are frequently complicit in breaches involving AI. When researchers found an obfuscated token while examining the relationship between OpenAI Codex and GitHub, they took notice. OpenAI Codex is an LLM designed to translate natural language prompt instructions into working source code. It is widely used by developers in their interaction with GitHub repositories for generating new code from ideas and performing pull requests. OAuth tokens have a checkered relationship with AI. While necessary, they were the primary breach vector in the Salesloft incident during 2025 – leading to compromise in more than 700 organizations. And in March 2026, Grip Security published research into Shadow AI and OAuth tokens in SaaS apps, describing how one stolen token could cause cascading breaches across multiple companies that use the same SaaS app. The weak link is not just the tokens, but tokens implemented with long term validity. BeyondTrust quickly discovered that the obfuscated token they found was short lived and rapidly expired. Nevertheless, it was briefly visible. The researchers decided to seek a way to extract and abuse it while it was still valid. The cascading potential of a single stolen token across multiple accounts was no doubt inviting. In this case, the potential was to use the OAuth token to target GitHub repositories that might (especially in the case of OSS repositories) be accessed by individuals from multiple organizations. While the token was short-lived, automation could conceivably be used to first steal and then abuse the token before it expired. BeyondTrust’s Phantom Labs researchers succeeded – including the automation necessary to compromise the multiple users interacting with a single GitHub repository. It was not an overnight research project, and it was long and complex. Full details on the research are reported in a blog.Advertisement. Scroll to continue reading. The researchers discovered they could access tokens tied to repositories, workflows and private code, with the potential for lateral movement across companies using shared environments. Automation could provide exploitation at scale. The discovered vulnerability ultimately stems from improper input sanitization in how Codex processed GitHub branch names during task execution. By injecting arbitrary commands through the GitHub branch name parameter, Phantom Labs discovered an attacker could execute malicious payloads inside the agent’s container and retrieve sensitive authentication tokens. For stealth and reliability (to prove the vulnerability could be used in earnest), the researchers developed further obfuscated payload techniques using Unicode characters. This allowed malicious commands to execute without being visibly detectable in the user interface. BeyondTrust responsibly disclosed its findings to OpenAI in late December 2025, and to its credit, OpenAI rapidly fixed all reported issues. This particular vulnerability will no longer work against OpenAI Codex. However, the research is a further demonstration of how the combination of AI and OAuth tokens will present attackers with a widening attack surface and an expanding blast radius at least through 2026. Meanwhile, the moral of the story, according to the BeyondTrust report, is “AI coding agents are not just productivity tools. They are live execution environments with access to sensitive credentials and organizational resources. Because these agents act autonomously, security teams must understand how to govern AI agent identities to prevent command injection, token theft, and automated exploitation at scale. “As AI agents become more deeply integrated into developer workflows, the security of the containers they run in – and the input they consume – must be treated with the same rigor as any other application security boundary. The attack surface is expanding, and the security of these environments needs to keep pace.” Related: OpenAI Rolls Out Codex Security Vulnerability Scanner Related: Google OAuth Flaw Leads to Account Takeover When Domain Ownership Changes Related: Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw Related: Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest LinkDoE Publishes 5-Year Energy Security PlanIran Readied Cyberattack Capabilities for Response Prior to Epic FuryHacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEOThe Collapse of Predictive Security in the Age of Machine-Speed AttacksShadow AI Risk: How SaaS Apps Are Quietly Enabling Massive BreachesAI, APIs and DDoS Collide in New Era of Coordinated CyberattacksCISO Conversations: Aimee Cardwell Latest News Healthcare IT Platform CareCloud Probing Potential Data BreachSilent Drift: How LLMs Are Quietly Breaking Organizational Access ControlHuskeys Emerges From Stealth With $8 Million in FundingRussian APT Star Blizzard Adopts DarkSword iOS Exploit KitEuropean Commission Reports Cyber Intrusion and Data TheftHacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in WarfareTelnyx Targeted in Growing TeamPCP Supply Chain AttackExploitation of Fresh Citrix NetScaler Vulnerability Begins Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — OpenAI Codex command injection payload (obfuscated Unicode characters)