Remote Image Exfiltration Vulnerability in OpenAI Codex for macOS
CVE-2026-14898

Currently unrated

Key Information:

Vendor

Openai

Vendor
CVE Published:
6 July 2026

What is CVE-2026-14898?

The OpenAI Codex desktop application for macOS is susceptible to a vulnerability that allows remote images to be rendered from Markdown within model responses. This could enable an attacker to insert indirect prompt injections through untrusted content, prompting the Codex model to generate a remote image URL that may contain sensitive information. When the model fetches this URL, it inadvertently sends confidential data, such as API keys and source code, to an external server. This vulnerability raises significant privacy concerns due to the potential unintentional exfiltration of valuable data without any user interaction required.

Affected Version(s)

Codex desktop app for macOS 0 < 26.527.31326

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wuzzi23 (original report)
Itay Ravia of Cato Networks (independent report)
.