Fullscreen API Spoofing and UI Redressing in OpenAI Operator SaaS
CVE-2025-7021

6.9MEDIUM

Key Information:

Vendor: Openai
Status: Operator
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-7021?

A vulnerability exists in OpenAI Operator SaaS that involves spoofing and UI redressing through the Fullscreen API. This flaw allows remote attackers to create a deceptive fullscreen interface that overlays fake browser controls. By using distracting elements, such as cookie consent screens, attackers can obscure legitimate notifications, misleading users into unintentionally interacting with malicious sites. This interaction may lead to the capture of sensitive information, including login credentials and email addresses, posing significant risks to user data security.

Affected Version(s)

Operator SaaS

References

https://github.com/google/security-research/security/advi...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
Jul 2, 2025

Openai

What is CVE-2025-7021?

Affected Version(s)

References

CVSS V4

Timeline