CVE-2026-14898 in Codex desktop app for macOS
Summary
by MITRE • 07/06/2026
The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image URL containing sensitive data. The app automatically fetched that URL when rendering the response, sending the embedded data to an attacker-controlled server without a separate user click. Successful exploitation could exfiltrate secrets and other information accessible in the Codex session, including API keys, source code, and data returned by connected tools. No direct integrity or availability impact was demonstrated, and there is no known exploitation in the wild.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability identified in the OpenAI Codex desktop application for macOS represents a critical security flaw that demonstrates how seemingly benign markdown rendering functionality can be exploited to create sophisticated data exfiltration channels. This issue arises from the application's automatic fetching behavior when processing remote image URLs embedded within markdown content generated by the AI model. The vulnerability operates through a prompt injection vector where malicious input from untrusted sources can influence the model's response generation, leading to the creation of carefully crafted URLs that contain sensitive information accessible within the Codex session environment.
The technical exploitation mechanism leverages indirect prompt injection techniques that allow attackers to manipulate the AI model's output generation process through connected tools or other external data sources. When the Codex application processes markdown content containing remote image references, it automatically attempts to fetch and render these images without requiring explicit user interaction or confirmation. This automatic behavior creates an attack surface where maliciously constructed URLs can be embedded within model responses, enabling covert data exfiltration to attacker-controlled servers. The vulnerability specifically targets the trust relationship between the application and remote resources, exploiting the implicit assumption that markdown image sources are benign and safe for automatic retrieval.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass potential compromise of sensitive development environments and intellectual property assets. Attackers could potentially extract API keys, source code fragments, and other data returned by connected tools that are accessible within the Codex session context. This represents a significant risk for developers who rely on the application for code generation and analysis tasks where sensitive project information might be present in tool responses or contextual data. The vulnerability's stealth nature makes it particularly dangerous since no user interaction is required for exploitation, potentially allowing attackers to harvest sensitive data without detection during routine development workflows.
Security mitigations should focus on implementing strict URL validation and sanitization mechanisms within the markdown processing pipeline to prevent automatic fetching of remote resources. The application should enforce explicit user consent requirements before attempting to retrieve external content, particularly when that content originates from AI-generated responses. Additionally, input sanitization measures should be implemented to detect and neutralize potentially malicious URL constructions within model outputs, aligning with common security practices for preventing prompt injection attacks. This vulnerability demonstrates the importance of considering the full attack surface when designing AI-powered applications, particularly regarding how automated behaviors interact with untrusted input sources and the need for comprehensive security controls that address both direct and indirect threat vectors.
This issue relates to CWE-20, which addresses improper input validation, and CWE-1236, which covers the use of untrusted inputs in API calls. The attack pattern aligns with ATT&CK technique T1566, focusing on spearphishing attachments and social engineering methods that exploit application trust relationships. The vulnerability also reflects broader security concerns around AI model integrity and the potential for malicious actors to manipulate AI outputs for unauthorized data extraction purposes, highlighting the need for robust security controls in AI-assisted development environments.