GHSA-gqqj-85qm-8qhf: Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email
Summary
A Paperclip-managed `codex_local` runtime (a local code execution environment) could access and use a Gmail connector that was only connected in the ChatGPT/OpenAI apps UI, not explicitly set up in Paperclip itself. This trust-boundary failure (a security gap between two systems that should be isolated) allowed the runtime to read emails and send real emails from the user's Gmail account without permission. The vulnerability was made worse because `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, meaning approval checks and execution restrictions are disabled by default.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-gqqj-85qm-8qhf
First tracked: April 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%