VYPR
researchPublished Jul 7, 2026· 1 source

OpenAI Codex macOS App Vulnerable to Indirect Prompt Injection for Data Exfiltration

A vulnerability in OpenAI's Codex desktop app for macOS allows attackers to inject prompts that cause the app to fetch remote images containing sensitive data, leading to potential exfiltration.

A critical vulnerability, identified as CVE-2026-14898, has been discovered in OpenAI's Codex desktop application for macOS, enabling attackers to perform indirect prompt injection attacks for sensitive data exfiltration. The flaw stems from how the application processes Markdown content within model-generated responses, specifically its automatic rendering of remote images without user interaction.

Attackers can craft malicious input that manipulates the Codex model into generating output containing URLs for remote images hosted on attacker-controlled servers. When the Codex app processes this response, it automatically fetches these remote images. During this fetch process, any sensitive data embedded within the image URL parameters is transmitted to the attacker's server, effectively leaking confidential information without the user's knowledge or explicit consent.

This attack vector is particularly concerning due to its stealthy nature. Unlike traditional phishing or social engineering tactics, this vulnerability does not require the user to click a malicious link or approve any action. The data exfiltration occurs silently in the background as part of the application's normal image rendering process. The GitHub Advisory notes that exposed data could include API keys, proprietary source code, or other information accessible through the Codex session's connected tools.

The potential impact is significant, especially for developers using Codex in environments with access to sensitive code repositories and credentials. The vulnerability is categorized under CWE-200, indicating the exposure of sensitive information to an unauthorized actor. While a formal CVSS score has not yet been assigned, the nature of the flaw points to a substantial confidentiality risk, particularly when Codex is integrated with privileged systems or development workflows.

As of the disclosure, there are no patched versions of the Codex desktop app identified, and the specific affected versions remain unspecified. Furthermore, there is currently no reported evidence of active exploitation in the wild. However, the lack of immediate fixes and the growing focus on prompt injection vulnerabilities in AI systems make this a noteworthy issue for security teams.

This vulnerability highlights a broader challenge in securing AI-powered applications. Prompt injection attacks exploit the complex interplay between user input, AI model behavior, and application logic. In this instance, the automatic rendering of AI-generated content combined with the application's fetching mechanism creates an unintended attack surface.

Security professionals recommend mitigating this risk by limiting the processing of untrusted content, carefully reviewing how AI-generated outputs are rendered, and implementing safeguards such as disabling automatic remote resource fetching. Monitoring outbound network traffic and segmenting access to sensitive data can also help reduce the potential for exploitation.

As AI-assisted development tools become more prevalent, vulnerabilities like CVE-2026-14898 underscore the critical need for secure design practices that address both traditional and AI-specific attack vectors.

Synthesized by Vypr AI