OpenAI Codex CLI Notify Field Configuration Remote Code Execution

Affected Vendor(s)

OpenAI

Affected Product(s)

Codex CLI

Summary

A critical vulnerability exists in OpenAI Codex CLI that allows arbitrary command execution when a user opens a malicious repository. The notify configuration field, which specifies an external command to spawn for end-user notifications, can be set through a project-level .codex/config.toml file within an untrusted workspace. When the user runs Codex in this directory and completes an agent turn, the malicious command is executed with the user's full privileges.

Timeline

Discovered on
January 16, 2026
Disclosed to Vendor on
January 16, 2026
Published on
January 20, 2026

Credit

Piotr Ryciak

Blog Post

References

OpenAI Codex CLI Pull Request

Learn how Mindgard can help you navigate AI Security

Take the first step towards securing your AI. Book a demo now and we'll reach out to you.

Book a Demo
Protect your AI with Mindgard

Mindgard, the leading provider of Artificial Intelligence security solutions, helps enterprises secure their AI models, agents, and systems across the entire lifecycle. Mindgard’s solution uncovers shadow AI, conducts automated AI red teaming by emulating adversaries, and delivers runtime protection against attacks like prompt injection and agentic manipulation. Trusted by leading organizations in finance, healthcare, and technology, Mindgard is backed by investors including .406 Ventures, IQ Capital, Atlantic Bridge, and Lakestar.

©️ 2026 Mindgard limited
All rights Reserved