OpenAI Codex Uncovers 10,561 High-Severity Issues in 1.2M Code Commits
OpenAI has launched a powerful new feature called Codex Security. This AI-driven security tool is designed to detect, validate, and propose remedies for vulnerabilities in code. Currently, it is available in research preview for ChatGPT Pro, Enterprise, Business, and Edu users with free usage for the next month.
Key Features of Codex Security
Codex Security builds a comprehensive understanding of a user’s project to highlight critical vulnerabilities that traditional tools often overlook. OpenAI claims it presents higher confidence in findings and suggests fixes that substantially enhance system security.
Background and Development
Codex Security is evolved from a previous utility called Aardvark, introduced in private beta in October 2025. The tool aims to aid developers and security teams in identifying and rectifying security flaws more effectively.
Statistics and Findings
In just 30 days of its beta testing, Codex Security has scanned over 1.2 million code commits. The scans identified 792 critical vulnerabilities and a staggering 10,561 high-severity issues. These vulnerabilities affected multiple open-source projects, such as:
- OpenSSH
- GnuTLS
- GOGS
- Thorium
- libssh
- PHP
- Chromium
Some significant vulnerabilities include:
| Project | CVE Identifiers |
|---|---|
| GnuPG | CVE-2026-24881, CVE-2026-24882 |
| GnuTLS | CVE-2025-32988, CVE-2025-32989 |
| GOGS | CVE-2025-64175, CVE-2026-25242 |
| Thorium | CVE-2025-35430 to CVE-2025-35436 |
How It Works
Codex Security utilizes advanced reasoning from OpenAI’s frontier models combined with automated validation. This design aims to minimize the risk of false positives, enabling accurate and actionable remediation. The process involves three main steps:
- Analysis of the repository to understand its security structure and generate an editable threat model.
- Identification and classification of vulnerabilities based on their real-world implications, followed by sandbox testing to validate these findings.
- Proposing tailored fixes that align with system behavior, aiming to reduce regressions and simplify deployment.
OpenAI claims that with appropriate project configuration, Codex Security can validate potential issues within the context of the operational system, reducing false positives further.
Industry Context
The introduction of Codex Security closely follows the release of Claude Code Security by Anthropic. Both aim to fortify code security by scanning for vulnerabilities and suggesting necessary patches.
OpenAI emphasizes that Codex Security prioritizes signal-to-noise ratio in vulnerability detection. This streamlined approach enables developers and security teams to focus on high-impact issues effectively.
