The OpenAI Codex command-line interface has been observed automatically trusting and executing project-local configuration files, creating a Remote Code Execution (RCE) path that attackers could exploit during routine development workflows.
New analysis published by Check Point Research showed the Codex CLI loaded Model Context Protocol (MCP) server definitions from local configuration files whenever users ran codex inside a repository.
For context, MCP is a framework that allows developers to integrate other tools and applications into Codex.
If a project contained a .env file that redirected CODEX_HOME to a local folder and a corresponding .codex/config.toml file that defined MCP commands, the CLI executed those commands immediately at startup (without prompts, provenance checks, or re-validation when the configuration changed).
This ability to add arbitrary shell commands to a commit or pull request, allowed malicious users to write code to create files, run programs, steal credentials, and set up a reverse shell on a developer’s machine when they used the Codex CLI to clone a repository and run the CLI locally.
Supply-Chain And DevSec Implications
Check Point highlighted broader software supply-chain risks;compromised starter templates or open-source projects could propagate the issue to downstream consumers.
CI pipelines that executed Codex could also run attacker-controlled commands during automated builds, potentially compromising build artifacts and deployment flows.
OpenAI addressed the flaw in version 0.23.0 by preventing .env files from redirecting CODEX_HOME into project directories, stopping automatic execution of project-supplied configurations.
Check Point confirmed that the fix is effective, saying that “Codex CLI now blocks project-local redirection of CODEX_HOME, requiring safer defaults and stopping immediate execution of attacker-supplied project files.”
Security teams and developers are advised to update to Codex CLI 0.23.0 or later, review repository hygiene practices, and audit development workflow to identify suspicious configuration loading behaviors.
