Critical severity9.8NVD Advisory· Published Apr 14, 2026· Updated Apr 17, 2026

CVE-2025-61260

Description

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@openai/codexnpm	<= 0.23.0	—

Affected products

OpenAI/Codex Cliinferred
Range: <0.23.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xrxf-jgv3-qmrmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-61260ghsaADVISORY
openai.comnvdWEB
research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerabilityghsaWEB
research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000