Codex release notes and the security gap in pinned agent fleets

TL;DR: OpenAI’s Codex CLI release notes map seven weeks of security-relevant fixes, including untrusted-repo code execution, browser-reachable local WebSocket exposure, read-deny bypasses, and credential-handling changes, according to Backslash Security. The lesson is that pinned agent versions inherit old trust boundaries, so version floors become a governance control, not a maintenance detail.

NHIMG editorial — based on content published by Backslash Security: Every Codex Release Note Is a Security Receipt

By the numbers:

• 0.136.0 still carried the /diff code-execution path, -execution path, the read-deny bypasses, and the browser-reachable WebSocket.
• 0.139.0 still left the sandbox network egress boundary, egress boundary unconstrained.

Questions worth separating out

Q: What breaks when an agentic coding tool stays below its security floor?

A: Older versions keep the earlier trust boundary, so approval scope, listener protection, read restrictions, sandbox egress, or hook enforcement may remain weaker than the maintainer now intends.

Q: Why do agentic tools complicate version governance for IAM teams?

A: Because the version is part of the control plane, not just the software package.

Q: How do security teams know if an agent release floor is actually being enforced?

A: They should compare deployed versions across endpoints, containers, and running sessions against the minimum floor for each security boundary, then verify that blocked versions cannot start or persist.

Practitioner guidance

• Inventory agent versions across all execution environments Track Codex CLI versions on laptops, CI images, containers, and long-lived sessions, then compare them to the minimum version floor for each security boundary.
• Define version floors as enforceable policy Create a control that blocks or flags agent versions below the floor required for approval scope, read-deny enforcement, listener origin checks, and sandbox egress control.
• Audit local execution surfaces for untrusted input paths Review repository hooks, Git helpers, WebSocket listeners, and tool result handlers to see where untrusted content can still reach local code execution.

What's in the full article

Backslash Security's full research covers the operational detail this post intentionally leaves for the source:

• Release-by-release PR mapping for the seven-week Codex CLI window, including the exact security-relevant fixes behind each floor.
• Version-floor table showing which boundary changed in each release and what a pinned install still carries below that floor.
• Appendix methodology for how the team validated the version delta and separated PR-confirmed findings from lab-reproduced behavior.
• Detailed evidence for the WebSocket and /diff findings, including the request patterns used to confirm the control changes.

👉 Read Backslash Security's analysis of Codex release-note security floors →

Codex release notes and the security gap in pinned agent fleets?

Explore further

View Full Forum →  |  NHI Foundation Course →