Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email

Description

A Paperclip-managed codex_local runtime was able to access and use a Gmail connector that I had connected in the ChatGPT/OpenAI apps UI, even though I had not explicitly connected Gmail inside Paperclip or separately inside Codex.

In my environment this enabled mailbox access and a real outbound email to be sent from my Gmail account.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2026.403.0

References

• GHSA-gqqj-85qm-8qhf
• CWE-284
• OWASP 2021-A1

Related Issues

• Paperclip: Malicious skills able to exfiltrate and destroy all user data - Vulnerability
• Gatsby develop server has Local File Inclusion vulnerability - CVE-2023-34238
• FUXA local file inclusion vulnerability - CVE-2023-31718
• Websites were able to send any requests to the development server and read the response in vite - CVE-2025-24010

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

paperclipai