A newly disclosed vulnerability in OpenAI’s Codex desktop app for macOS reveals how a seemingly cosmetic feature, rendering images in chat responses, could have handed attackers a silent channel to steal API keys, source code, and other sensitive session data.
Tracked as CVE-2026-14898 and published to the GitHub Advisory Database as GHSA-gj6m-4qqg-3cw8, the flaw underscores a growing class of risks unique to AI coding assistants that blend model outputs with real-time rendering behavior.
The issue stems from how the Codex desktop app handled Markdown in model responses. When Codex generated a reply containing a Markdown image tag, the app automatically fetched the image from a remote URL and rendered it, with no user click required.
That auto-fetch behavior becomes dangerous when combined with indirect prompt injection. An attacker doesn’t need direct access to the victim’s Codex session.
Instead, they plant malicious instructions inside content the model later processes, such as a file returned by a connected tool, a webpage summary, or any other untrusted data source Codex ingests during a task.
If Codex follows those hidden instructions, it can be manipulated into constructing an image URL that embeds sensitive session data, like an API key or a code snippet, as part of the URL string.
The moment the app renders that response, it silently pings the attacker’s server with the data attached, completing the exfiltration without any visible warning to the user.
This is a textbook case of CWE-200, Exposure of Sensitive Information to an Unauthorized Actor, but the delivery mechanism is what makes it notable.
Codex sessions often have access to source code repositories, environment variables, and outputs from connected tools, exactly the kind of high-value data attackers want.
Because the exploitation path relies on indirect prompt injection, the attack surface extends beyond the user’s direct inputs. Any external content the model reads during a session- documentation, API responses, or third-party files- becomes a potential injection vector.
That’s a meaningful shift from traditional software vulnerabilities where the attacker typically needs some form of direct interaction with the target system.
Mitigation
As of publication, the advisory lists affected and patched versions as unknown, and severity has not yet been formally scored. There’s no evidence of in-the-wild exploitation, and the flaw has no direct impact on integrity or availability; its danger lies entirely in confidentiality.
Organizations using Codex desktop should watch for OpenAI’s patch guidance and, in the interim, treat any AI tool that renders remote content automatically as a potential data exfiltration risk. Practical steps include:
- Auditing which connected tools and data sources Codex sessions can access
- Disabling automatic remote image rendering where configurable
- Treating all AI-ingested external content as untrusted input
- Monitoring outbound network requests from AI desktop clients for anomalies
This disclosure adds to a growing pattern: AI coding assistants that integrate deeply with developer workflows also inherit developer-grade attack surfaces. As tools like Codex gain more autonomy within connected systems, security teams will need to extend traditional prompt-injection defenses to cover UI rendering behaviors, not just model outputs.