OpenAI fixed a flaw in its Codex coding agent tool that could have been used to steal GitHub OAuth tokens, BeyondTrust disclosed Monday.Codex allows users to interact with GitHub repositories and uses OAuth 2.0 tokens to authenticate to GitHub, which are short-lived but grant high permissions by default so the agent has enough access to act on behalf of the user.BeyondTrust found that when a Codex user runs a prompt against a GitHub repository branch, Codex fails to sanitize the repo branch name. When Codex sets up an environment and container to handle the user’s request, malicious bash commands in the branch name can be executed by the container when cloning the repo.These commands can be used to capture the plaintext token, which is passed by the container during the cloning process. An attacker can leverage this token to gain unauthorized access to the user’s GitHub account.BeyondTrust presented a proof-of-concept (PoC) attack that uses a command hidden in a GitHub branch name to exfiltrate OAuth tokens from Codex containers to a remote attacker server. They explained that, in order to work around GitHub’s branch name restrictions, the internal field separator payload “${IFS}” must be used instead of spaces but will still be interpreted as a space when evaluated in bash.To hide the suspicious branch name from the user, 94 ideographic spaces (Unicode U+3000) followed by “|| true” were used in the PoC, which makes only the benign part of the branch name (“main”) visible in the Codex user interface. Adding || true (“or true”) prevents the Unicode characters triggering an error in bash.Setting the malicious branch as the default branch increases the chance of success, as this makes it more likely Codex will be run on this branch. This attack could potentially be used to escalate privileges and move laterally in a shared repo scenario, where the attacker can modify a branch name in a trusted repo, BeyondTrust noted.The researchers further found that GitHub Installation Access tokens could also be exposed using a malicious branch name when Codex is invoked by referencing @codex in a comment or pull request on the branch. This causes Codex to create a code review container from which the installation access token is exfiltrated. BeyondTrust reported this vulnerability to OpenAI via BugCrowd in December 2025, with initial fixes made within a week of the report and full remediation of the branch shell escape completed in January 2026. OpenAI classified the vulnerability as being critical severity.The researchers recommend users of AI coding agents audit the permissions these tools have to GitHub and other development environments, following the principle of least privileges. They should also monitor any shared repositories for unusual branch names, and regularly rotate their GitHub tokens.
AI/ML, Identity, Supply chain, DevOps, Application security
OpenAI fixes Codex flaw that could lead to GitHub token theft

(Credit: Robert – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



