CVE-2025-61260: OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files

April 14, 2026 (updated April 16, 2026)

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

References

github.com/advisories/GHSA-xrxf-jgv3-qmrm
github.com/openai/codex
nvd.nist.gov/vuln/detail/CVE-2025-61260
research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability

Code Behaviors & Features

Detect and mitigate CVE-2025-61260 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →