The Information Machine

OpenAI Codex Enterprise Push: Mobile Launch, Windows Sandbox, and Customer Stories · history

Version 12

2026-05-31 18:25 UTC · 486 items

What

OpenAI's enterprise Codex platform now has three publicly disclosed vulnerabilities with no confirmed patch for any of them: CVE-2025-59532 (sandbox bypass via path configuration logic [16]), CVE-2025-61260 (remote code execution [17]), and ZDI-26-305, published by Trend Micro's Zero Day Initiative as a zero-day sandbox escape [18][19]. Security researchers at Cymulate have named the underlying attack class 'Configuration-Based Sandbox Escape' (CBSE), framing Codex's issues as symptomatic of a broader pattern in AI coding tools shipped faster than their security infrastructure can support [21]. Windows Computer Use remains unstable — UAC failures, spawn errors, and crashes continue without a confirmed stable release [24][25] — and OpenAI has issued no public remediation timeline for any security issue.

Why it matters

Three public, unpatched vulnerabilities — one published as a zero-day by a major security research firm — materially change the enterprise risk calculus for Codex. BeyondTrust's finding that the command injection can expose GitHub tokens in enterprise deployments [20] raises the stakes from theoretical sandbox escapes to credential theft at scale, precisely the risk that compliance and security teams in regulated industries must resolve before broad deployment.

Open questions

  • CVE-2025-59532, CVE-2025-61260, and ZDI-26-305 are all publicly disclosed with no confirmed OpenAI remediation [16][17][19] — has OpenAI acknowledged any of these with a patch or a committed timeline?

  • BeyondTrust documents that CVE-2025-59532's command injection can expose GitHub tokens in enterprise deployments [20] — what is the actual blast radius, and has OpenAI communicated privately with affected enterprise customers?

  • Cymulate frames CBSE as a category affecting AI coding tools broadly [21] — are GitHub Copilot, Cursor, or other Gartner Magic Quadrant Leaders exposed to the same class of vulnerability?

  • Windows Computer Use launched with widespread sandbox setup failures [23][35] and continues to fail for multiple users [24][25] — has OpenAI shipped a stable release, and what security review governed shipping desktop GUI control before the feature was stable?

Narrative

OpenAI launched Codex as a production enterprise coding platform across April–May 2026, growing from 3 million to over 4 million weekly active developers [1] and naming seven global systems integrators as partners: Accenture, Capgemini, CGI, Cognizant, Infosys, PwC, and TCS. The platform expanded across form factors — mobile apps on iOS and Android on May 14 [2], a Windows app on May 16 [3], an on-premises and hybrid deployment partnership with Dell Technologies on May 18 [4], and full desktop GUI automation (Computer Use on Windows) around May 29 [5]. A Gartner Magic Quadrant Leader designation on May 22 [6] marked OpenAI's first entry into the category alongside three-time incumbent GitHub and Cursor, with Cursor confirmed furthest right on completeness of vision [7].

A rapid sequence of customer case studies extended the deployment record through late May. Virgin Atlantic reports a 78–80% reduction in legacy codebase size with zero P1 defects at mobile app launch [8]; Cisco reports a 10–15x increase in defect resolution throughput with over 1,500 engineering hours saved monthly [9]; Warp reports agents co-creating approximately 90% of internal pull requests alongside 35x ARR growth [10]; Endava describes itself as an 'agentic organization' compressing requirements processes from weeks to two one-hour meetings [11]; and Braintrust reports 50% engineering team adoption within one month and a shift toward real-time customer feature ideation [12]. Every performance figure originates from OpenAI-controlled or co-published materials, with no independent technical verification.

The platform's security posture has escalated into a multi-vulnerability crisis. OpenAI published 'Running Codex safely at OpenAI' on May 8 as an enterprise security reference [13], but three separate vulnerabilities are now publicly documented with no confirmed remediation: CVE-2025-59532, characterized by Check Point Research as a command injection with a public Docker-based proof-of-concept [14][15] and formally entered in the GitLab Advisory Database as a sandbox bypass via path configuration logic [16]; CVE-2025-61260, an RCE vulnerability disclosed by SentinelOne [17]; and ZDI-26-305, a sandbox escape published by Trend Micro's Zero Day Initiative as a zero-day [18][19]. BeyondTrust has specifically documented that the command injection can expose GitHub tokens in enterprise deployments [20], and Cymulate has named the underlying attack class 'Configuration-Based Sandbox Escape' (CBSE), framing it as a category pattern across AI coding tools [21]. A researcher separately documented that the Codex CLI disregards its sandbox when tmux is used [22]. Computer Use on Windows, launched around May 29, has been accompanied by persistent, independently reported setup failures — UAC errors, spawn errors, and crashes — with no confirmed stable release [23][24][25].

The competitive and financial picture adds friction to OpenAI's enterprise momentum narrative. Multiple sources report Q1 2026 revenue at approximately $5.7B with Codex cited as a growth driver [26][27], but a critical analysis reports a –122% Non-GAAP operating margin [28] and Ramp's AI Index reports Anthropic has overtaken OpenAI in business AI adoption [29][30]. Infosys, one of seven named GSI partners, publicly positions as model-agnostic [31]; UiPath treats Codex, Claude Code, and GitHub Copilot as interchangeable selectable components [32][33]; and GitHub Agent HQ formally treats Claude and Codex as equivalent selectable agents [34] — a consistent pattern suggesting Codex is being absorbed into existing orchestration layers rather than adopted as a distinct platform.

Timeline

  • 2026-04-21: OpenAI reports 4M+ weekly active developers, launches Codex Labs, and names seven GSI partners in 'Scaling Codex to enterprises worldwide' [1][50]
  • 2026-05-08: OpenAI publishes 'Running Codex safely at OpenAI' as an enterprise security reference model documenting sandboxing, approvals, and agentic telemetry [13]
  • 2026-05-14: Codex launches in ChatGPT mobile app on iOS and Android in preview; Sea Limited case study published [2][51][52]
  • 2026-05-15: OpenAI publishes engineering retrospective on the Windows sandbox, detailing rejected security primitives and the final composed architecture [39]
  • 2026-05-16: Codex Windows app launches in Microsoft Store; community user reports Codex wiped files on their machine [3][53]
  • 2026-05-18: OpenAI and Dell Technologies announce partnership to deploy Codex in hybrid and on-premises enterprise environments [4][48][49]
  • 2026-05-20: UiPath launches enterprise platform treating Codex, Claude Code, and GitHub Copilot as interchangeable selectable components; Infosys publicly positions as model-agnostic [32][33][31]
  • 2026-05-21: GitHub officially launches Claude and Codex as selectable agents in Agent HQ; GPT-5.3-Codex reported as new base model for Copilot Business and Enterprise [34][44][54]
  • 2026-05-22: Gartner 2026 Magic Quadrant names OpenAI, GitHub, and Cursor as Leaders (Cursor furthest right); CVE-2025-59532 disclosed; Virgin Atlantic case study published with 78–80% codebase reduction and zero P1 defects [6][7][43][55][56][8]
  • 2026-05-23: Check Point Research characterizes CVE-2025-59532 as command injection with a public Docker-based proof-of-concept; Codex Security research preview announced [14][15][40]
  • 2026-05-24: Dell confirms Grok 2.5 deployment on identical infrastructure as Codex; GPT-5.5 rolls out; Codex Security reports 1.2M commits scanned and 10,561 high-severity issues [47][57][41]
  • 2026-05-25: Multiple sources report OpenAI Q1 2026 revenue at ~$5.7B; critical analysis reports –122% Non-GAAP operating margin; Ramp AI Index reports Anthropic has overtaken OpenAI in business AI adoption [26][28][27][29][30]
  • 2026-05-27: Cisco (10–15x defect throughput), Warp (90% agent-created PRs, GPT-5.5 uses 30% fewer tokens than GPT-5.4), and Thrive/Crete tax-filing agent case studies published [9][10][38]
  • 2026-05-28: Endava case study published; company describes itself as an 'agentic organization' compressing requirements processes from weeks to two one-hour meetings [11]
  • 2026-05-29: Braintrust case study published (50% engineering adoption in one month); Codex Computer Use launches on Windows enabling desktop GUI control; community users immediately report widespread sandbox setup failures; CLI sandbox escape via tmux documented [12][58][59][42][23][60][22]
  • 2026-05-30: ZDI publishes sandbox escape ZDI-26-305 as a zero-day; GitLab Advisory Database formally enters CVE-2025-59532 as sandbox bypass via path configuration logic; BeyondTrust documents GitHub token exposure via command injection; Cymulate names 'Configuration-Based Sandbox Escape' (CBSE) as an AI coding tool vulnerability category [16][21][18][19][20]
  • 2026-05-31: CVE-2025-61260 (RCE) disclosed by SentinelOne; Windows Computer Use UAC and spawn failures continue with no confirmed stable release; OpenCVE tracks multiple OpenAI CVEs [17][61][24][25]

Perspectives

OpenAI (product and marketing)

Positions Codex as a production-ready, cross-platform enterprise platform with broad industry adoption, rapid user growth, expanding GSI and hardware partnerships, Gartner Leader recognition, and explicit ambition to serve knowledge work across regulated and professional domains [1][36][4][6].

Evolution: Braintrust [12] is the seventh named customer case study; Computer Use on Windows [5] marks the first expansion into full desktop GUI automation. No public response to accumulating security disclosures.

OpenAI (engineering and security)

Published 'Running Codex safely at OpenAI' as an enterprise reference model [13] and a candid Windows sandbox architecture retrospective [39], while Codex Security preview extended the security-tooling narrative [40][41].

Evolution: The security posture has escalated to three public, unpatched vulnerabilities — CVE-2025-59532 (command injection/sandbox bypass) [14][16], CVE-2025-61260 (RCE) [17], and ZDI-26-305 (zero-day sandbox escape) [19] — none with confirmed remediation, placing all three in direct tension with the May 8 security reference post.

GitHub / Microsoft

GitHub earned its third consecutive Gartner Magic Quadrant Leader designation [43] and formally launched Claude and Codex as selectable agents in Agent HQ [34][44]; Microsoft published Azure documentation for cloud-sovereign Codex deployment [45].

Evolution: Consistent; three-year incumbency frames OpenAI's entry as joining an established market rather than defining one.

Cursor

Named a Leader in the 2026 Gartner Magic Quadrant and confirmed as positioned furthest to the right on completeness of vision among all three Leaders [7].

Evolution: Consistent.

Dell Technologies

Multi-model infrastructure broker enabling on-premises and hybrid AI deployment — confirmed deploying both Codex for OpenAI [4] and Grok 2.5 for xAI [47] on identical Dell AI Factory infrastructure with no disclosed exclusivity.

Evolution: Consistent.

Security researchers (Check Point, Cymulate, BeyondTrust, ZDI, SentinelOne)

Multiple independent security firms have now characterized Codex vulnerabilities: Check Point confirmed command injection with a public proof-of-concept [14]; Cymulate named CBSE as a vulnerability category affecting AI coding tools broadly [21]; BeyondTrust documented GitHub token exposure via the command injection [20]; ZDI published ZDI-26-305 as a zero-day [19]; SentinelOne disclosed CVE-2025-61260 (RCE) [17]; community users continue reporting Windows Computer Use failures [24][25].

Evolution: Escalated significantly: three tracked vulnerabilities (two CVEs plus one ZDI zero-day) now, up from one CVE in the prior pass, with CBSE framing suggesting systemic rather than isolated issues.

Independent market data (Ramp AI Index)

Ramp's May 2026 AI Index reports Anthropic has overtaken OpenAI in business AI adoption [29][30], in direct tension with OpenAI's enterprise momentum claims.

Evolution: Consistent.

Enterprise automation platforms (UiPath, GitHub Agent HQ)

UiPath treats Codex, Claude Code, and GitHub Copilot as interchangeable selectable components [32][33]; GitHub Agent HQ formally treats Claude and Codex as equivalent selectable agents [34] — absorbing Codex into existing orchestration layers rather than adopting it as a standalone platform.

Evolution: Consistent; commoditization pattern unchanged.

Tensions

  • OpenAI published 'Running Codex safely at OpenAI' as an enterprise security reference [13], but three separate vulnerabilities are now publicly documented with no confirmed remediation: CVE-2025-59532 (command injection/sandbox bypass) [14][16], CVE-2025-61260 (RCE) [17], and ZDI-26-305 (zero-day sandbox escape) [19] — plus a CLI sandbox escape via tmux [22] and persistent Windows Computer Use failures [24][25]. [13][14][16][17][19][22][24][25]
  • Cymulate frames CBSE as a category-level vulnerability pattern affecting AI coding tools broadly [21], while BeyondTrust specifically documents that Codex's command injection can expose GitHub tokens in enterprise deployments [20] — raising whether OpenAI's security reference model [13] systematically understates the attack surface. [21][20][13]
  • OpenAI's scale narrative claims 4M+ weekly active developers and ~$5.7B Q1 2026 revenue with Codex as a driver [1][26], while Ramp's AI Index reports Anthropic has overtaken OpenAI in business AI adoption [29][30] and a critical analysis reports a –122% Non-GAAP operating margin [28]. [1][26][28][29][30]
  • The 2026 Gartner Magic Quadrant provided OpenAI its first major analyst validation [6], but GitHub earned the same Leader designation for the third consecutive year [43] and Cursor is confirmed furthest right [7], reflecting category maturity across incumbents rather than a breakthrough for any new entrant. [6][43][7]
  • OpenAI markets Codex as a uniquely positioned enterprise platform, but Infosys — one of its seven named GSI partners — publicly positions as model-agnostic [31], UiPath bundles Codex alongside Claude Code and GitHub Copilot as interchangeable components [32][33], and Dell simultaneously deploys Grok 2.5 on identical infrastructure [47]. [32][33][31][47]
  • All named enterprise performance claims — Cisco's 10–15x defect throughput [9], Virgin Atlantic's 78–80% codebase reduction [8], Warp's 90% agent-created PRs [10], Braintrust's 50% adoption in one month [12] — originate exclusively from OpenAI-controlled or co-published materials, with no independent technical verification. [8][9][10][11][12]

Sources

  1. [1] Scaling Codex to enterprises worldwide — OpenAI Blog (2026-04-21)
  2. [2] Work with Codex from anywhere — OpenAI Blog (2026-05-14)
  3. [3] OpenAI Codex Arrives on Windows with Native Sandbox and Agentic Workflows | Windows Forum — reactive:openai-codex-enterprise-rollout
  4. [4] OpenAI and Dell partner to bring Codex to hybrid and on-premise enterprise environments — OpenAI Blog (2026-05-18)
  5. [5] OpenAI bringt Computer Use auf Windows: Codex steuert ab sofort den echten Desktop, bedient Fenster, startet Programme, ... — reactive:openai-codex-enterprise-rollout (2026-05-30)
  6. [6] OpenAI named a Leader in enterprise coding agents by Gartner — OpenAI Blog (2026-05-22)
  7. [7] Cursor is a leader in the 2026 Gartner Magic Quadrant for Enterprise AI Coding Agents, positioned furthest to the right ... — reactive:coding-agent-industry-pivot (2026-05-22)
  8. [8] How Virgin Atlantic ships faster with Codex — OpenAI Blog (2026-05-22)
  9. [9] Cisco and OpenAI redefine enterprise engineering with Codex — OpenAI Blog (2026-05-27)
  10. [10] Warp’s big bet on building open source with GPT-5.5 — OpenAI Blog (2026-05-27)
  11. [11] How Endava builds an agentic organization with Codex — OpenAI Blog (2026-05-28)
  12. [12] How Braintrust turns customer requests into code with Codex — OpenAI Blog (2026-05-29)
  13. [13] Running Codex safely at OpenAI — OpenAI Blog (2026-05-08)
  14. [14] OpenAI Codex CLI Vulnerability: Command Injection — reactive:openai-codex-enterprise-rollout
  15. [15] GitHub - baktistr/cve-2025-59532-poc: A Docker-based research ... — reactive:openai-codex-enterprise-rollout
  16. [16] Codex has sandbox bypass due to bug in path configuration logic | GitLab Advisory Database (GLAD) — reactive:openai-codex-enterprise-rollout
  17. [17] CVE-2025-61260: OpenAI Codex CLI RCE Vulnerability — reactive:openai-codex-enterprise-rollout
  18. [18] OpenAI Codex: Reported Sandbox Escape Disclosed (ZDI-26-305) — reactive:openai-codex-enterprise-rollout
  19. [19] ZDI publishes OpenAI Codex sandbox bypass as a zero-day — reactive:openai-codex-enterprise-rollout
  20. [20] OpenAI Codex Command Injection Vulnerability - BeyondTrust — reactive:openai-codex-enterprise-rollout
  21. [21] Configuration-Based Sandbox Escape (CBSE) in AI Coding Tools — reactive:openai-codex-enterprise-rollout
  22. [22] Reminder that @OpenAI Codex CLI disregards its sandbox when using tmux: Codex will use the bash session opened in anoth... — reactive:openai-codex-enterprise-rollout (2026-05-29)
  23. [23] @daniel_mac8 No. Codex never works on my Windows. Somehow it stuck at Agent Sandbox set up and cant do anything. Shitty ... — reactive:openai-codex-enterprise-rollout (2026-05-29)
  24. [24] ムキー!codex-windows-sandbox-setup.exeがUACで失敗するとかなんなん! — reactive:openai-codex-enterprise-rollout (2026-05-31)
  25. [25] Codex Desktop on Windows: Computer Use helper fails immediately — reactive:openai-codex-enterprise-rollout (2026-05-30)
  26. [26] PYMNTS | OpenAI’s Codex Helps Drive Nearly $6 Billion Quarter — reactive:openai-codex-enterprise-rollout
  27. [27] OpenAI Posts $5.7B Q1 Revenue, Leads Anthropic | Let's Data Science — reactive:openai-codex-enterprise-rollout
  28. [28] News: OpenAI Had A Negative 122% Non-GAAP Operating Margin ... — reactive:openai-codex-enterprise-rollout
  29. [29] Anthropic finally beat OpenAI in business AI adoption - VentureBeat — reactive:enterprise-ai-coding-battle
  30. [30] Anthropic beats OpenAI on business adoption - Ramp — reactive:enterprise-ai-coding-battle
  31. [31] Infosys Partners with OpenAI on Codex | CRN India posted on the ... — reactive:openai-codex-enterprise-rollout
  32. [32] UiPath Launches Enterprise Platform for Claude Code, OpenAI Codex, Copilot, and More - https://t.co/BKLcG2k1oK @UiPath @... — reactive:openai-codex-enterprise-rollout (2026-05-20)
  33. [33] UiPath opens its platform to every coding agent - here's why Claude Code and Codex go first — reactive:openai-codex-enterprise-rollout
  34. [34] Pick your agent: Use Claude and Codex on Agent HQ — reactive:openai-codex-enterprise-rollout
  35. [35] Computer Use in Codex in Windows doesn't work for me and at least two others on Twitter. I've filed two bug reports with... — reactive:openai-codex-enterprise-rollout (2026-05-30)
  36. [36] How frontier enterprises are building an AI advantage — OpenAI Blog (2026-05-06)
  37. [37] Singular Bank helps bankers move fast with ChatGPT and Codex — OpenAI Blog (2026-05-06)
  38. [38] Building self-improving tax agents with Codex — OpenAI Blog (2026-05-27)
  39. [39] Building a safe, effective sandbox to enable Codex on Windows — OpenAI Blog (2026-05-15)
  40. [40] Codex Security: now in research preview - OpenAI — reactive:openai-codex-enterprise-rollout
  41. [41] OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues — reactive:openai-codex-enterprise-rollout
  42. [42] @CodexReleases Codex Computer Use на Windows не запускался: windows sandbox failed: spawn setup refresh. Причина была в ... — reactive:openai-codex-enterprise-rollout (2026-05-29)
  43. [43] GitHub recognized as a Leader in the Gartner® Magic Quadrant ... — reactive:openai-codex-enterprise-rollout
  44. [44] Claude and Codex are now available in public preview on GitHub — reactive:openai-codex-enterprise-rollout
  45. [45] Codex with Azure OpenAI in Microsoft Foundry Models — reactive:openai-codex-enterprise-rollout
  46. [46] Cursor named a Leader in the 2026 Gartner® Magic Quadrant™ for ... — reactive:openai-codex-enterprise-rollout
  47. [47] Grok 2.5 and Dell AI Factory Power AI Revolution | Dell — reactive:openai-codex-enterprise-rollout
  48. [48] OpenAI and Dell Technologies partner to bring Codex to hybrid and on-premises enterprise environments | OpenAI https://t... — reactive:openai-codex-enterprise-rollout (2026-05-20)
  49. [49] OpenAI and Dell Collaborate to Deploy Codex in Hybrid and On-Premise Enterprise Settings — reactive:openai-codex-enterprise-rollout (2026-05-20)
  50. [50] OpenAI leans on global consultancies to expand Codex use in large ... — reactive:openai-codex-enterprise-rollout
  51. [51] Sea's View on the Future of Agentic Software Development with Codex — OpenAI Blog (2026-05-14)
  52. [52] OpenAI says Codex is coming to your phone - TechCrunch — reactive:codex-practical-dev-tool
  53. [53] Built a Windows sandbox after Codex wiped files on my machine — reactive:openai-codex-enterprise-rollout
  54. [54] 🚨Codex CLI 0.133.0 is out! — reactive:openai-codex-enterprise-rollout (2026-05-21)
  55. [55] CVE-2025-59532 Detail - NVD — reactive:openai-codex-enterprise-rollout
  56. [56] Codex has sandbox bypass due to bug in path configuration logic — reactive:openai-codex-enterprise-rollout
  57. [57] RT @OpenAI: GPT-5.5 is rolling out today for Plus, Pro, Business and Enterprise users across ChatGPT and Codex. — reactive:openai-codex-enterprise-rollout (2026-05-24)
  58. [58] @OpenAI Codex Desktop Computer Use on Windows won’t start. — reactive:openai-codex-enterprise-rollout (2026-05-29)
  59. [59] Выпустили Codex Computer Use на Windows, но у меня сразу упал 😄 — reactive:openai-codex-enterprise-rollout (2026-05-29)
  60. [60] @gdb Bug Report. Codex is not working. It keeps asking for Agent Sandbox setup again and again. I'm on Windows 11 machin... — reactive:openai-codex-enterprise-rollout (2026-05-28)
  61. [61] Openai CVEs and Security Vulnerabilities - OpenCVE — reactive:openai-codex-enterprise-rollout