OpenAI Codex Desktop App for macOS Vulnerability Allows Attackers to Inject Indirect Prompt
Key Facts
- As AI-assisted development tools continue to gain adoption, vulnerabilities like CVE-2026-14898 underscore the need for secure design practices that account for both traditional and AI-specific attack vectors.
- A newly disclosed vulnerability in the OpenAI Codex desktop application for macOS could allow attackers to exploit indirect prompt injection techniques to exfiltrate sensitive data, according to a recent entry in the GitHub Advisory Database.
- Tracked as CVE-2026-14898, the issue arises from how the Codex app handles Markdown content in model-generated responses.
- However, the lack of available fixes and the increasing focus on prompt injection attacks in AI systems make this vulnerability noteworthy for security teams.
- OpenAI Codex MacOS App Vulnerability When the Codex desktop app renders the response, it automatically fetches the remote image from the attacker-controlled server.
- According to the GitHub Advisory, the exposed data could include API keys, proprietary source code, or information retrieved via connected tools within the Codex session.
- At the time of disclosure, no patched versions have been identified, and the list of affected versions remains unspecified.
- Security experts recommend limiting the processing of untrusted content, reviewing how AI-generated outputs are rendered, and implementing safeguards such as turning off automatic remote resource fetching.
- The post OpenAI Codex Desktop App for macOS Vulnerability Allows Attackers to Inject Indirect Prompt appeared first on Cyber Security News.
As AI-assisted development tools continue to gain adoption, vulnerabilities like CVE-2026-14898 underscore the need for secure design practices that account for both traditional and AI-specific attack vectors. The issue is tracked as CVE-2026-14898. A newly disclosed vulnerability in the OpenAI Codex desktop application for macOS could allow attackers to exploit indirect prompt injection techniques to exfiltrate sensitive data, according to a recent entry in the GitHub Advisory Database.
The AI Risk
Tracked as CVE-2026-14898, the issue arises from how the Codex app handles Markdown content in model-generated responses.
Further details indicate that however, the lack of available fixes and the increasing focus on prompt injection attacks in AI systems make this vulnerability noteworthy for security teams.
OpenAI Codex MacOS App Vulnerability When the Codex desktop app renders the response, it automatically fetches the remote image from the attacker-controlled server.
According to the GitHub Advisory, the exposed data could include API keys, proprietary source code, or information retrieved via connected tools within the Codex session.
Model Weakness
CVEs:
From a technical standpoint, the vulnerability presents several concerns:
At the time of disclosure, no patched versions have been identified, and the list of affected versions remains unspecified.
Security experts recommend limiting the processing of untrusted content, reviewing how AI-generated outputs are rendered, and implementing safeguards such as turning off automatic remote resource fetching.
Impact
on AI Systems
At the time of disclosure, no patched versions have been identified, and the list of affected versions remains unspecified.
Safeguards
-
At the time of disclosure, no patched versions have been identified, and the list of affected versions remains unspecified.
-
However, the lack of available fixes and the increasing focus on prompt injection attacks in AI systems make this vulnerability noteworthy for security teams.
-
Security experts recommend limiting the processing of untrusted content, reviewing how AI-generated outputs are rendered, and implementing safeguards such as turning off automatic remote resource fetching.
Analysis
This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure. As AI tooling proliferates, security teams face expanding attack surfaces tied to model inference and data pipelines.
AI security teams should evaluate their model deployment pipelines for similar weaknesses, paying close attention to input validation, prompt injection defenses, output filtering, and access controls. Organizations building or deploying AI systems should incorporate adversarial testing and red-teaming exercises into their development lifecycle. Data governance policies may need updating to address the specific risks highlighted by this incident, including data leakage, model inversion, and unauthorized inference access. Security teams should also review logging and monitoring coverage for AI services, as traditional security tools may not detect model-specific attacks. Vendor security assessments should be refreshed for any third-party AI components in use.
Industry observers note that this type of development highlights the ongoing need for defense-in-depth strategies and proactive security posture management. Organizations that invest in regular security assessments and employee training tend to fare better when responding to emerging threats. The security community continues to share indicators and best practices to help defenders stay ahead.
Sources
Sources & References
- CVE-2026-14898 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-14898
- CVE-2026-14898 — Git advisory. https://github.com/advisories/CVE-2026-14898
- CVE-2026-14898 — National Vulnerability Database
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
AI-Enabled Hacker Caught: Leaked Prompts Expose Resume and IP Address
A fully AI-enabled hacker was caught, revealing his full system prompts, which included his resume and his IP address.
AI/ML SecurityHow attackers are jailbreaking LLMs with CTF framing and how to catch them AI Security
Over the past 30 days, we’ve collected data from other source IPs that validate our jailbreaking theory: 159.89.93.86 created a LiteLLM master-scoped API key...
AI/ML SecurityIs OpenAI Lockdown Mode an Admission of Risk? Enough?
As AI-powered chatbots expand across customer service, technical support, and enterprise workflows, they become increasingly attractive targets for attackers seeking to extract sensitive data.
AI/ML SecurityThreat Modeling Generative AI: What 11,658 Incidents Reveal About Real-World Risk
Instead, improper output handling (42%) and misinformation/misuse (35%) represent the vast majority of actual incidents.