OpenAI Codex Exposes GitHub Tokens Via Command Injection

Phantom Labs, the research arm of BeyondTrust, reported on March 30, 2026 that a command-injection vulnerability in OpenAI’s Codex could expose short-lived GitHub OAuth tokens by manipulating branch names during task creation. The flaw affected Codex web UI, CLI, SDK and IDE integrations and could be scaled across repositories; OpenAI has deployed fixes including input validation, stronger shell escaping and reduced token scope and lifetime.
Key Points
- 1Demonstrates command injection via branch-name processing that leaks GitHub OAuth tokens from Codex containers
- 2Highlights risk of lateral movement in enterprise environments when agents hold broad repository permissions
- 3Requires developers and security teams to treat agent execution environments as critical attack surface, enforce input validation
Scoring Rationale
This is a high-impact security disclosure with official fixes from OpenAI and broad enterprise implications, boosting credibility and scope. Score reduced slightly for limited technical PoC detail and because mitigations have already been deployed, though practitioners must still act on input validation and token policies.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

