OpenAI Codex: Reported Sandbox Escape Disclosed (ZDI-26-305)
A reported sandbox escape in OpenAI Codex (ZDI-26-305) could potentially allow code execution via specific JavaScript repositories. The vulnerability, assigned…
On April 28, 2026, Trend Micro’s Zero Day Initiative (ZDI) published ZDI-26-305, a vulnerability report concerning OpenAI Codex with a CVSS score of 8.6. The reported flaw may enable a sandbox escape triggered by the processing of specific JavaScript repositories. Reports indicate that the initial submission was classified as "out of scope" for the bug bounty program on April 13, 2026. This reported technical risk and the indicated lack of remediation may require enterprise users to evaluate their use of the product.
- ZDI-26-305 affects the OpenAI Codex JavaScript execution environment with a CVSS 8.6 rating and a "Scope Changed" (S:C) designation, suggesting potential impact beyond the immediate component.
- The attack vector is described as requiring user interaction: a target would need to use Codex to process a repository containing malicious JavaScript; no prior privileges are reportedly required.
- The vulnerability was reportedly classified as "out of scope" on April 13, 2026; the advisory lists no official patches or forthcoming fixes.
- According to the advisory, restricting interaction with the product is a salient mitigation strategy.
The Mechanics of the Reported Sandbox Escape
The vulnerability reportedly resides within the Codex JavaScript execution environment. When the AI agent processes a repository for tasks such as analysis or refactoring, it executes code within the user's context. The ZDI advisory describes the issue as a failure of "proper isolation of the sandboxed context." The security perimeter intended to confine execution could potentially fail, which may allow malicious code to operate with the privileges of the current user.
While the attack vector is localized (AV:L), the complexity is described as low (AC:L) and it reportedly requires no initial privileges (PR:N). A critical factor is user interaction (UI:R): a target must load or clone a compromised repository. Because the scope is changed (S:C), the impact could potentially extend past the vulnerable component to the host system, which may result in impacts on confidentiality, integrity, and availability.
The reported lack of isolation between the sandboxed context and the host environment could suggest an architectural gap where the design of the Codex JavaScript runtime may not provide sufficient separation between analyzed code and the execution system.
Report Classification and Disclosure
The disclosure timeline published by ZDI indicates that on April 13, 2026, the vulnerability was "rejected for being out of scope for their bug bounty program." This phrasing suggests a programmatic classification rather than a technical dismissal. The advisory notes no further contact following this classification.
This distinction can have operational consequences. Bug bounty scopes manage programmatic exposure, but may not always align with the full attack surface. When a component is classified as out-of-scope, it may suggest that the component is not covered by the same security guarantees as other services, potentially shifting the burden of risk management to the user.
The publication of the advisory on April 28 followed the reported conclusion of the disclosure process.
"Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product" — ZDI-26-305 advisory
Risk Mitigation
For organizations utilizing OpenAI Codex, the disclosure suggests the following considerations:
Review Usage and Interaction: The primary mitigation listed in the advisory is to restrict interaction with the product. Organizations may evaluate the necessity of using the tool for external or unverified code repositories.
Evaluation of Execution Context: Users may consider the environment in which the AI agent operates. Relying on product-level sandboxing for security may pose risks if that isolation is reported to be fallible.
Operational Monitoring: Organizations may consider monitoring automated systems that integrate with the product, especially those that process external data, to ensure security policies are maintained.
Codex and the Evolution of the AI Attack Surface
AI agents that manipulate code can introduce risks related to the execution of unverified content. Users may be less guarded when asking an agent to examine a repository than when manually running code, a factor that could potentially be exploited.
The classification of this report as out-of-scope highlights potential gaps in security coverage for AI agents. If such components are not recognized as in-scope for standard security programs, the responsibility for identifying and mitigating risks may remain with the end user.
The ZDI advisory's suggestion to restrict interaction reflects the challenge of managing security for tools designed to accelerate development when those tools may lack sufficient isolation.
FAQ
Can this vulnerability be triggered without user knowledge?
According to the CVSS vector, user interaction (UI:R) is required. A target would need to deliberately use Codex to process a malicious repository.
Is there a patched version of OpenAI Codex available?
As of the ZDI-26-305 publication date, there are no indicated patches or scheduled fixes listed in the advisory. Mitigation is currently focused on usage restriction.
Does the "out of scope" classification mean the flaw was not found?
No. The timeline states the report was "rejected for being out of scope," which refers to the programmatic boundaries of the bounty program rather than the technical validity of the submission.
This report is based on the ZDI-26-305 advisory; independent confirmations are not currently available.