CVE-2025-61260
published 2026-04-14CVE-2025-61260: A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.06%
93.4th percentile
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openai | codex | 0 – 0.23.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on repository-committed .env files that set CODEX_HOME to a relative project-local path (e.g., CODEX_HOME=./.codex), as this is the primary redirection mechanism used to hijack Codex CLI configuration. ↗
- →Inspect newly committed or modified ./.codex/config.toml files for mcp_servers entries containing unexpected command/args fields, especially those referencing shell interpreters or network utilities indicative of reverse shells. ↗
- →In CI/CD pipelines, flag any codex invocation against a checked-out repository that contains both a .env with CODEX_HOME redirection and a .codex/config.toml, as this combination is the complete exploit chain. ↗
- →Track post-merge modifications to ./.codex/config.toml mcp_servers entries in repositories, as an initially benign entry can be silently swapped for a malicious payload without triggering re-approval. ↗
- ·The fix in Codex CLI v0.23.0 specifically blocks .env files from silently redirecting CODEX_HOME into project directories. Detection rules targeting older versions should account for this behavior being present in all versions prior to 0.23.0. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files
ghsa·2026-04-14
CVE-2025-61260 [CRITICAL] CWE-94 OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files
OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.
GHSA
GHSA-xrxf-jgv3-qmrm: A vulnerability was identified in OpenAI Codex CLI v0
ghsa_unreviewed·2026-04-14
CVE-2025-61260 GHSA-xrxf-jgv3-qmrm: A vulnerability was identified in OpenAI Codex CLI v0
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.
No detection rules found.
No public exploits indexed.
2026-04-14
Published