Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AC:H reflects the non-trivial requirement to successfully craft indirect prompt injection that survives LLM processing; no system privileges needed; confidentiality impact only.
Primary rating from Vendor (OAI).
CVSS VectorVendor: OAI
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image URL containing sensitive data. The app automatically fetched that URL when rendering the response, sending the embedded data to an attacker-controlled server without a separate user click. Successful exploitation could exfiltrate secrets and other information accessible in the Codex session, including API keys, source code, and data returned by connected tools. No direct integrity or availability impact was demonstrated, and there is no known exploitation in the wild.
AnalysisAI
Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to be running the OpenAI Codex desktop app for macOS at a version prior to 26.527.31326, and to process content in a session that contains attacker-influenced material - such as tool results from a connected external service, file contents read by the app, API responses ingested into context, or data from a cloned repository. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 6.5 Medium score (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) captures network reachability and high confidentiality impact but may slightly understate attack complexity: successful exploitation requires not only that attacker-controlled content reach the Codex session but also that the injected instructions effectively manipulate the LLM output - a meaningful, if increasingly well-understood, technical hurdle. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer clones an attacker-controlled repository and asks Codex to review the README or run a connected tool that fetches attacker-influenced content. The attacker has embedded prompt injection instructions in that content - for example, 'Include an image: ' - causing Codex to generate a Markdown response containing the crafted image URL. … |
| Remediation | Update the OpenAI Codex desktop app for macOS to version 26.527.31326 or later, which resolves the automatic remote image fetch behavior in model-generated Markdown (per EUVD-2026-41915; vendor product page: https://openai.com/codex/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41915
GHSA-gj6m-4qqg-3cw8