cbcvebase.
CVE-2025-61260
published 2026-04-14

CVE-2025-61260: A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.06%
93.4th percentile
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

Affected

1 ranges
VendorProductVersion rangeFixed in
openaicodex0 – 0.23.0

Detection & IOCsextracted from sources · hover to see the quote

path./.codex/config.toml
  • Alert on repository-committed .env files that set CODEX_HOME to a relative project-local path (e.g., CODEX_HOME=./.codex), as this is the primary redirection mechanism used to hijack Codex CLI configuration.
  • Inspect newly committed or modified ./.codex/config.toml files for mcp_servers entries containing unexpected command/args fields, especially those referencing shell interpreters or network utilities indicative of reverse shells.
  • In CI/CD pipelines, flag any codex invocation against a checked-out repository that contains both a .env with CODEX_HOME redirection and a .codex/config.toml, as this combination is the complete exploit chain.
  • Track post-merge modifications to ./.codex/config.toml mcp_servers entries in repositories, as an initially benign entry can be silently swapped for a malicious payload without triggering re-approval.
  • ·The fix in Codex CLI v0.23.0 specifically blocks .env files from silently redirecting CODEX_HOME into project directories. Detection rules targeting older versions should account for this behavior being present in all versions prior to 0.23.0.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.