{"data":{"id":"3a402d5a-e0fa-402e-a0a1-05fb47813362","title":"GHSA-gqqj-85qm-8qhf: Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email","summary":"A Paperclip-managed `codex_local` runtime (a local code execution environment) could access and use a Gmail connector that was only connected in the ChatGPT/OpenAI apps UI, not explicitly set up in Paperclip itself. This trust-boundary failure (a security gap between two systems that should be isolated) allowed the runtime to read emails and send real emails from the user's Gmail account without permission. The vulnerability was made worse because `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, meaning approval checks and execution restrictions are disabled by default.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-gqqj-85qm-8qhf","publishedAt":"2026-04-16T22:47:40.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["paperclipai@<= 2026.403.0"],"affectedVendors":["OpenAI"],"affectedVendorsRaw":["OpenAI","ChatGPT","Paperclip","Codex"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-04-16T22:47:40.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}