Cyber Posture

CVE-2025-61260

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository.…

more

Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the code injection flaw in OpenAI Codex CLI by applying vendor patches or updates to versions prior to v0.23.0.

SI-10 Information Input Validation good match
prevent

Requires validation of untrusted inputs from project-local .env and .codex/config.toml files to block arbitrary command execution.

SI-7 Software, Firmware, and Information Integrity partial match
prevent

Verifies integrity of configuration files and software before loading to detect modifications enabling malicious code execution.

Security SummaryAI

CVE-2025-61260 is a code injection vulnerability (CWE-94) affecting OpenAI Codex CLI versions v0.23.0 and earlier. The flaw enables arbitrary code execution through malicious MCP (Model Context Protocol) configuration files, specifically project-local .env and .codex/config.toml files. Codex automatically loads these files without user confirmation when the 'codex' command is executed, allowing embedded arbitrary commands to run immediately.

The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely with low complexity, no privileges or user interaction required. Attackers can exploit it by compromising a repository or tricking users into running the codex command within one containing malicious configuration files, achieving high-impact confidentiality, integrity, and availability violations through executed arbitrary commands.

Advisories and patches are detailed in references from OpenAI (http://openai.com) and Check Point Research (https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/). Security practitioners should consult these sources for specific mitigation guidance and patch information.

This vulnerability affects an AI-powered code generation tool from OpenAI, highlighting risks in CLI tools that integrate with repositories for AI/ML-assisted development workflows. No real-world exploitation status is available in the provided data.

Details

CWE(s)
CWE-94

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: openai, mcp, model context protocol

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
Why these techniques?

The vulnerability enables arbitrary code execution (RCE) in client software (Codex CLI) via malicious config files (T1203) and is facilitated by compromising repositories to host these files (T1195.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References