BeyondTrust Phantom Labs disclosed a critical command injection vulnerability in OpenAI’s Codex cloud environment on March 30, 2026. The vulnerability allowed attackers to steal GitHub OAuth tokens by injecting shell commands through a branch name parameter. A branch name. That is where the entire attack starts.
The flaw affected every Codex surface: the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE Extension. OpenAI classified it as Critical (Priority 1) and remediated all issues by February 5, 2026, following responsible disclosure that began December 16, 2025. No CVE has been assigned.
How an unsanitized branch name became arbitrary code execution
OpenAI Codex is a cloud-based coding agent accessible through ChatGPT. Developers connect a GitHub repository, submit a prompt, and Codex spins up a managed container to execute the task. The container clones the repository during setup using a GitHub OAuth token embedded in the git remote URL. That token is live and has network access during the setup phase. It gets removed before the agent phase begins, but during setup, it is there.
The ChatGPT Codex Connector GitHub application requests read and write access to repositories, workflows, actions, issues, and pull requests. When authorized within a GitHub organization, it gains access to private organizational resources. That scope becomes important later.
When a user submits a task, Codex sends an HTTP POST request to https://chatgpt.com/backend-api/wham/tasks containing the environment identifier, the branch name, and the prompt text. On the backend, that branch name is passed directly into shell commands during container initialization, most critically a git fetch operation, without sanitization or quoting.
Shell metacharacters like ;, &&, |, $(), and backticks in the branch name are interpreted literally by Bash. That is a command injection.
BeyondTrust researcher Tyler Jespersen confirmed the injection by passing "-1" as the branch name. The container raised an error in the Codex environment logs, proving the input flowed unsanitized into the execution context.
From there, crafting a payload to exfiltrate the GitHub OAuth token was straightforward:
- Set the branch to
main - Append a semicolon to terminate the git command
- Inject a second command that writes the output of
git remote get-url origin(which contains the cleartext OAuth token) to a file - Ask the Codex agent via the prompt to read and return that file’s contents
The task output in the Codex web portal returned the cleartext GitHub OAuth token. That is the whole attack. A semicolon and a backtick subshell.