Intel

AIKIDO-2026-732106

@openai/codex is vulnerable to Protection Mechanism Failure

Protection Mechanism Failure Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

63

Medium Risk

This Affects:

JS@openai/codex
0.72.0 - 0.142.1
Fixed in 0.142.2
Are you affected? Scan for Free

TL;DR

On Windows, Codex decides whether a shell command is read-only enough to run without extra approval by parsing PowerShell scripts and lowering only the end-block statements into command words that it checks against a safelist. Parameter defaults, named blocks such as begin and process, using preambles, and top-level trap handlers are not represented in that lowered list, so executable code placed in those regions is never inspected. An attacker who can influence a proposed command can hide side-effecting statements in those uninspected regions so a destructive script is classified as safe and auto-approved without user confirmation. The fix makes the classifier fail closed by rejecting any PowerShell script that contains these uninspected AST regions.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and run Codex on Windows where PowerShell commands can be auto-approved by the command safety classifier.

Background info

@openai/codex is vulnerable to Protection Mechanism Failure in versions 0.72.0 - 0.142.1.

How to fix this

Upgrade the @openai/codex library to the patch version.