OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens

The OpenAI Codex branch-name vulnerability shows how agent task setup can expose GitHub tokens without a credential authorization gate.

OpenAI CodexCredential exposureGitHub token exfiltrationCodex container / Git branch checkout / GitHub OAuth token

What happened

BeyondTrust Phantom Labs reportedly demonstrated a command-injection path through malicious GitHub branch names, including invisible Unicode padding to hide the payload.

Why it matters

Reports say the proof of concept could exfiltrate GitHub OAuth tokens from Codex containers, putting connected source code and organization repositories at risk.

Missing authorization check

Agent task setup should have required validation and a signed boundary before untrusted branch metadata could influence shell execution with repository credentials present.

Would PP block it?

This is an agent runtime credential boundary, not just a code-review boundary. Permission Protocol would need to authorize checkout-time shell execution and token use before an agent container receives sensitive GitHub credentials.

Incident analysis

Timeline and technical read

Timeline

2026-03-30
Reports described a Codex flaw where crafted GitHub branch names could influence command execution.
Disclosure coverage
Coverage focused on GitHub token theft risk from the agent container context.
Permission boundary
The authorization check belongs before token injection and before untrusted branch metadata reaches a shell boundary.

Technical breakdown

The exploit class combines untrusted repository metadata with shell execution during agent setup.
The sensitive asset is the GitHub token available inside the agent environment.
The Permission Protocol gate would need to protect credential injection and privileged setup steps, not only final PR merge.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Agent task setup, branch checkout, credential injection
Still needs: Unsanitized branch metadata before runtime authorization
Receipt required for: GitHub token access, shell execution from branch metadata, repository checkout

Would block if branch checkout, shell execution, or token exposure were routed through a credential/tool authorization gate; a deploy-only PR gate would not catch setup-time injection.

Related incidents and controls

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

High2025-10-08

CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

Review Runtime Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop