OpenAI Codex Sandbox Escape Published as Zero-Day After Bug Bounty Rejection
The Zero Day Initiative has published a sandbox escape vulnerability in OpenAI Codex as a 0-day advisory after OpenAI rejected the report as out of scope for its bug bounty program.
On April 28, 28, 2026, the Zero Day Initiative (ZDI) published advisory ZDI-26-305 detailing a sandbox escape vulnerability in OpenAI Codex, the company's AI-powered code generation tool. The flaw, which carries a CVSS carries a CVSS score of 8.6, allows remote attackers to bypass the sandbox environment and execute arbitrary code in the context of the current user. The vulnerability was reported to OpenAI on February 24, 2026, but after a series of communications, the vendor rejected the report on April 13, stating it was out of scope for their bug bounty program because the issue was not in the default Codex product surface.
The specific flaw resides in the JavaScript execution environment within Codex. The issue stems from a lack of proper isolation of the sandboxed context, enabling an attacker to escape the sandbox by tricking a target into using Codex to process a repository containing malicious JavaScript. User interaction is required for exploitation, as the victim must open the malicious repository with Codex. Once exploited, the attacker can execute arbitrary code with the privileges of the current user, potentially leading to data theft, system compromise, or further lateral movement.
The disclosure timeline reveals a protracted back-and-forth between ZDI and OpenAI. After ZDI reported the vulnerability on February 24, OpenAI acknowledged receipt the next day. On March 5, OpenAI requested technical clarification, which ZDI provided on March 9. OpenAI confirmed they could reproduce the behavior on April 6, but on April 13, they rejected the vulnerability as out of scope. ZDI responded by declining any rewards or bounties and asked for a fix date. OpenAI stated the vulnerability was not in the default Codex product surface. On April 17, ZDI notified OpenAI of their intention to publish the case as a 0-day advisory, leading to the coordinated public release on April 28.
The impact of this vulnerability is significant given the widespread adoption of AI coding assistants like Codex. Developers and organizations using Codex to process untrusted repositories are at risk. The sandbox escape could allow attackers to steal source code, credentials, or other sensitive data, or to install malware on the developer's machine. The CVSS score of 8.6 reflects the high confidentiality, integrity, and availability impact, though the requirement for user interaction, and the changed scope (the sandbox escape affects the user's broader system).
OpenAI's decision to reject the report as out of scope has drawn criticism from the security community. The ZDI advisory notes that the only salient mitigation is to restrict interaction with the product. This incident highlights ongoing tensions between vendors and security researchers over bug bounty scope definitions, particularly for AI products where sandbox boundaries may be unclear. The publication of this 0-day advisory serves as a warning to Codex users and underscores the need for robust sandboxing in AI coding tools.
This vulnerability is part of a broader pattern of security concerns around AI-powered development AI tools. As these tools become more integrated into software development workflows, the potential for sandbox escapes and other vulnerabilities to cause widespread damage increases. The ZDI advisory credits researchers Peter Girnus, Demeng Chen, and Project AESIR with TrendAI Zero Day Initiative for discovering the flaw.