GHSA-gqqj-85qm-8qhf — HIGH (CVSS 8.7) AI Security Vulnerability

Q: Is GHSA-gqqj-85qm-8qhf actively exploited?

No confirmed active exploitation of GHSA-gqqj-85qm-8qhf has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-gqqj-85qm-8qhf?

1. Immediately revoke Gmail OAuth grants from OpenAI/ChatGPT apps for all users running Paperclip codex_local agents. 2. Audit codex-home/plugins/cache/openai-curated/ directories on all Paperclip deployments for cached connector state. 3. Set dangerouslyBypassApprovalsAndSandbox to false in all codex_local agent configurations — this is a code-level change required in Paperclip configuration files until an upstream fix ships. 4. Block write-capable connector actions (send_email, send_draft, update_draft) at the network/proxy layer for agentic runtimes. 5. Monitor Gmail activity logs for unexpected sends from automated accounts. 6. Pin paperclipai to a patched version when one is released — currently no patched version exists. 7. Apply principle of least privilege: scope connector grants to read-only where send capability is not required.

Q: What systems are affected by GHSA-gqqj-85qm-8qhf?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Multi-agent automation platforms, LLM agent pipelines with external connectors, Agentic email automation.

Q: What is the CVSS score for GHSA-gqqj-85qm-8qhf?

GHSA-gqqj-85qm-8qhf has a CVSS v3.1 base score of 8.7 (HIGH).

CISO Take

Paperclip AI's codex_local runtime silently inherits Gmail connectors configured in the ChatGPT/OpenAI apps UI, granting the agent full read and send access to the user's personal Gmail account without any explicit authorization or approval gate within Paperclip itself. This is not a theoretical exposure — the reporter confirmed actual outbound emails were dispatched from a personal account, followed by automated retraction messages, demonstrating persistent write capability. With 2,703 downstream dependents and no patch available, any organization deploying Paperclip in agentic workflows where employees also use ChatGPT with Gmail connected is immediately exposed; the default setting `dangerouslyBypassApprovalsAndSandbox = true` eliminates the last line of defense by design. Immediately audit all Paperclip deployments, revoke Gmail OAuth grants from OpenAI apps if Paperclip codex_local is in use, and treat this as an active incident response scenario until an official patch is released.

Sources: GitHub Advisory ATLAS

Risk Assessment

HIGH. CVSS 8.7 reflects accurate severity: network-accessible, low complexity, and the only friction is a pre-existing Gmail connection in OpenAI apps (common in enterprise environments). The absence of any patch elevates urgency. The `dangerouslyBypassApprovalsAndSandbox = true` default eliminates human-in-the-loop controls, making exploitation a single agent invocation. Insider threat and supply-chain abuse scenarios compound the blast radius given 2,703 dependents.

Attack Kill Chain

Connector Cache Discovery

The codex_local runtime scans the codex-home plugin cache and discovers pre-existing OpenAI-curated Gmail connector state, including OAuth credentials, at codex-home/plugins/cache/openai-curated/gmail/.

AML.T0084.001

Approval Gate Bypass

With dangerouslyBypassApprovalsAndSandbox defaulting to true, the agent proceeds without triggering any human approval prompt before invoking write-capable Gmail tools.

AML.T0107

Mailbox Enumeration

The agent calls gmail_get_profile and gmail_search_emails to identify the connected account and harvest email thread content from the victim's personal Gmail inbox.

AML.T0053

Unauthorized Email Exfiltration

The agent invokes gmail_send_email to dispatch outbound messages from the victim's trusted Gmail address to external third parties, with real message IDs and timestamps confirming delivery.

AML.T0086

Connector Cache Discovery

The codex_local runtime scans the codex-home plugin cache and discovers pre-existing OpenAI-curated Gmail connector state, including OAuth credentials, at codex-home/plugins/cache/openai-curated/gmail/.

AML.T0084.001

Approval Gate Bypass

With dangerouslyBypassApprovalsAndSandbox defaulting to true, the agent proceeds without triggering any human approval prompt before invoking write-capable Gmail tools.

AML.T0107

Mailbox Enumeration

The agent calls gmail_get_profile and gmail_search_emails to identify the connected account and harvest email thread content from the victim's personal Gmail inbox.

AML.T0053

Unauthorized Email Exfiltration

The agent invokes gmail_send_email to dispatch outbound messages from the victim's trusted Gmail address to external third parties, with real message IDs and timestamps confirming delivery.

AML.T0086

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
paperclipai	npm	<= 2026.403.0	No patch
10.8K 2.7K dependents Pushed 5d ago 60% patched ~0d to patch Full package profile →

Do you use paperclipai? You're affected.

Severity & Risk

CVSS 3.1

8.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I High

A None

Recommended Action

7 steps

Immediately revoke Gmail OAuth grants from OpenAI/ChatGPT apps for all users running Paperclip codex_local agents.
Audit codex-home/plugins/cache/openai-curated/ directories on all Paperclip deployments for cached connector state.
Set dangerouslyBypassApprovalsAndSandbox to false in all codex_local agent configurations — this is a code-level change required in Paperclip configuration files until an upstream fix ships.
Block write-capable connector actions (send_email, send_draft, update_draft) at the network/proxy layer for agentic runtimes.
Monitor Gmail activity logs for unexpected sends from automated accounts.
Pin paperclipai to a patched version when one is released — currently no patched version exists.
Apply principle of least privilege: scope connector grants to read-only where send capability is not required.

Classification

Auth Bypass Privacy Violation Data Extraction Agent Plugin API AML.T0048.003 - User Harm AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0084.001 - Tool Definitions AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

8.4 - AI system operation A.9.7 - AI system security

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk MANAGE 2.2 - Risk treatment mechanisms

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-gqqj-85qm-8qhf?

Paperclip AI's codex_local runtime silently inherits Gmail connectors configured in the ChatGPT/OpenAI apps UI, granting the agent full read and send access to the user's personal Gmail account without any explicit authorization or approval gate within Paperclip itself. This is not a theoretical exposure — the reporter confirmed actual outbound emails were dispatched from a personal account, followed by automated retraction messages, demonstrating persistent write capability. With 2,703 downstream dependents and no patch available, any organization deploying Paperclip in agentic workflows where employees also use ChatGPT with Gmail connected is immediately exposed; the default setting `dangerouslyBypassApprovalsAndSandbox = true` eliminates the last line of defense by design. Immediately audit all Paperclip deployments, revoke Gmail OAuth grants from OpenAI apps if Paperclip codex_local is in use, and treat this as an active incident response scenario until an official patch is released.

Is GHSA-gqqj-85qm-8qhf actively exploited?

No confirmed active exploitation of GHSA-gqqj-85qm-8qhf has been reported, but organizations should still patch proactively.

How to fix GHSA-gqqj-85qm-8qhf?

1. Immediately revoke Gmail OAuth grants from OpenAI/ChatGPT apps for all users running Paperclip codex_local agents. 2. Audit codex-home/plugins/cache/openai-curated/ directories on all Paperclip deployments for cached connector state. 3. Set dangerouslyBypassApprovalsAndSandbox to false in all codex_local agent configurations — this is a code-level change required in Paperclip configuration files until an upstream fix ships. 4. Block write-capable connector actions (send_email, send_draft, update_draft) at the network/proxy layer for agentic runtimes. 5. Monitor Gmail activity logs for unexpected sends from automated accounts. 6. Pin paperclipai to a patched version when one is released — currently no patched version exists. 7. Apply principle of least privilege: scope connector grants to read-only where send capability is not required.

What systems are affected by GHSA-gqqj-85qm-8qhf?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Multi-agent automation platforms, LLM agent pipelines with external connectors, Agentic email automation.

What is the CVSS score for GHSA-gqqj-85qm-8qhf?

GHSA-gqqj-85qm-8qhf has a CVSS v3.1 base score of 8.7 (HIGH).

Technical Details

NVD Description

### Summary A Paperclip-managed `codex_local` runtime was able to access and use a Gmail connector that I had connected in the ChatGPT/OpenAI apps UI, even though I had not explicitly connected Gmail inside Paperclip or separately inside Codex. In my environment this enabled mailbox access and a real outbound email to be sent from my Gmail account. After I manually intervened to stop the workflow, follow-up retraction messages were also sent, confirming repeated outward write/send capability. This appears to be a trust-boundary failure between Paperclip-managed Codex execution and inherited OpenAI app connectors, amplified by dangerous-by-default runtime settings. ### Details Successful runtime calls include: - `mcp__codex_apps__gmail_get_profile` - `mcp__codex_apps__gmail_search_emails` - `mcp__codex_apps__gmail_send_email` The connected Gmail profile resolved to my personal account. Inside the Paperclip-managed `codex-home`, I also found cached OpenAI curated connector state for Gmail under a path like: - `codex-home/plugins/cache/openai-curated/gmail/.../.app.json` This strongly suggests that the runtime had access to an already connected OpenAI apps surface rather than a Paperclip-specific Gmail integration that I intentionally configured. Separately, in the installed Paperclip code, `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, and the server-side agent creation path applies that default when the flag is omitted. In practice, that makes this boundary failure much more dangerous because a newly created `codex_local` agent can operate with approvals and sandbox bypassed by default. The key issue is this: I had connected Gmail only in the ChatGPT/OpenAI apps UI. I had not intentionally connected Gmail inside Paperclip or separately inside Codex. Despite that, the Paperclip-managed `codex_local` runtime was able to use Gmail read/write actions. ### PoC Environment: - self-hosted Paperclip instance using `codex_local` - Gmail connected in the ChatGPT/OpenAI apps UI - no explicit Gmail connection configured inside Paperclip for this test - `codex_local` agent created and run with default behavior Observed reproduction path: 1. Connect Gmail in the ChatGPT/OpenAI apps UI. 2. Create or run a Paperclip `codex_local` agent. 3. Execute a task that inspects mailbox state or performs outward communication. 4. Observe successful Gmail connector calls such as: - `mcp__codex_apps__gmail_get_profile` - `mcp__codex_apps__gmail_search_emails` - `mcp__codex_apps__gmail_send_email` 5. Observe that the connected profile resolves to the ChatGPT/OpenAI-connected Gmail account and that mailbox reads and real sends are possible. Private evidence available on request: - successful `get_profile` / `search` / `send` logs - Paperclip-managed `codex-home` Gmail connector cache path(s) - screenshot showing Gmail write-capable actions such as `send_email`, `send_draft`, and `update_draft` exposed in the connected-app UI - incident timeline showing that a real outbound email was sent - recipient organizations, timestamps, message IDs, and sanitized evidence for both the original outbound email and the subsequent retraction messages ### Impact This was not only theoretical in my environment. It resulted in: - mailbox identity disclosure - mailbox search / thread access - a real outbound email being sent from a personal connected Gmail account to an external third party - follow-up retraction messages being sent after manual intervention, confirming repeated outward write/send capability From an operator/security perspective, connecting Gmail in the ChatGPT/OpenAI apps UI should not automatically make that connector available to a Paperclip-managed local agent runtime, especially not for write/send actions. One or more of the following: - no inherited OpenAI app connectors by default in Paperclip-managed `codex_local` runs - send/write connectors blocked by default - explicit Paperclip-side opt-in before outward actions - auditable approval and provenance for connector-mediated actions - safer defaults, including `dangerouslyBypassApprovalsAndSandbox = false`

Exploitation Scenario

An attacker gains access to a self-hosted Paperclip instance (e.g., via a compromised employee account or misconfigured access controls). They create a codex_local agent with default settings and assign it a task that inspects mailbox state — phrased as a benign automation like 'summarize my recent emails.' The runtime discovers cached OpenAI connector credentials under codex-home/plugins/cache/openai-curated/gmail/ and silently inherits the connected Gmail account. With dangerouslyBypassApprovalsAndSandbox = true (the default), no approval prompt fires. The agent proceeds to call gmail_get_profile, gmail_search_emails, and gmail_send_email — exfiltrating sensitive threads and sending spear-phishing emails from the victim's trusted personal address to external targets without any user confirmation.