Codex reads files outside working directory without my permission

[vlymar]

What version of Codex is running?

codex-cli 0.46.0

What subscription do you have?

I'm using an API key for auth

Which model were you using?

gpt-5-codex

What platform is your computer?

Darwin 25.0.0 arm64 arm

What issue are you seeing?

I launched codex in a subdirectory of a git repo and asked it a question. To my surprise, codex answered the question with information contained outside the working directory. I tried this several more times and got the same results each time. I then simplified my prompt to something that reliably reproduces this behavior.

I usually see List .. in the output, and after that it is clearly listing and reading files outside the initial working directory. I've also see it call commands like find ../opentelemetry_phoenix ...

What steps can reproduce the bug?

1. Clone https://github.com/open-telemetry/opentelemetry-erlang-contrib
2. Cd into the repo, then into this subdir: cd instrumentation/opentelemetry_cowboy
3. Run codex
4. When prompted, select "No, ask me to approve edits and commands"
5. Submit this prompt: "Summarize the opentelemetry phoenix files here"

What is the expected behavior?

I expect codex to never read or write files outside of the directory where I launched it without asking me for permission.

Codex's docs are clear on the topic:

We've chosen a powerful default for how Codex works on your computer: Auto. In this approval mode, Codex can read files, make edits, and run commands in the working directory automatically. However, Codex will need your approval to work outside the working directory or access network.

I've also repro'd the same thing by running codex -s read-only, so sandbox clearly isn't sandboxing codex to the current working dir.

Additional information

❯ cat ~/.codex/config.toml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
File: /Users/victor/.codex/config.toml
Size: 205 B
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
model = "gpt-5-codex"
model_reasoning_effort = "high"
[projects."/Users/victor/src/knocklabs/control"]
trust_level = "trusted"

[projects."/Users/victor/src/knocklabs/switchboard"]
trust_level = "trusted"

[github-actions]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

• 💔Sandbox allowed unauthorized out-of-workspace operations despite restrictions #5203
• [SECURITY!] Do not allow Codex to read whole filesystem by default in read-only mode #4410
• Codex CLI ignores "read-only" mode and approval policy by executing MCP edit tools #4152

Powered by Codex Action

[vlymar]

Adding a screenshot for convenience

I don't believe the duplicates fully cover this issue.

[etraut-openai]

The codex sandbox is designed to prevent file system writes outside of your working directory. It does not prevent reads. It wouldn't be usable if reads weren't supported. For example, no tools would be able to run in that case. If you want to fully isolate the agent, we recommend that you run it in a docker container or VM.

[miliog]

For example, no tools would be able to run in that case.

That argument is kinda flawed because $PATH exists? If you need to make any other exceptions, codex or the user should define those.

I really thought codex was more secure than others like CC because of the sandbox, but if you're not making effective use of it, it wouldn't matter.

[Medo42]

If it is expected behavior that the agent can read any file the user has access to without asking for permission, this is IMO not well documented. On the contrary, I'm pretty sure most people who read https://developers.openai.com/codex/security/ will think that read access without approval is restricted to the workspace by default:

We’ve chosen a powerful default for how Codex works on your computer. In this default approval mode, Codex can read files, make edits, and run commands in the working directory automatically.

However, Codex will need your approval to work outside the working directory or run commands with network access.

I think that in the majority of cases, codex-cli will be run on a user account which also has access to credentials (e.g. ~/.ssh/*) or personal information which should not be read by the agent (because that means it's sent to a remote server for processing). It is IMO reasonable to want built-in safeguards against this, e.g. by restricting which files codex-cli can read without approval to the workspace.

Yes, tool calls also read files outside the workspace, both because the tools themselves are usually outside the workspace and because arbitrary tool calls have this capacity. Perhaps that means that the sandbox is the wrong place to add these restrictions - I don't know enough about how it works. However, it does not make it impossible to provide better read access safeguards, just that they would require more nuanced rules than "literally only allow the process to read files inside the workspace".

So please consider

• re-opening this issue, perhaps as a feature request instead of a bug
• improving the documentation to make it clear that the agent can currently read anything the user can read, regardless of sandbox settings

[Protonk]

I agree with @Medo42 but want to highlight that in the order they are shown these sentences are not just likely to be read by most people as not allowing codex to read outside the working directory but appear written to cause that impression!

In this default approval mode, Codex can read files, make edits, and run commands in the working directory automatically. However, Codex will need your approval to work outside the working directory or run commands with network access.

The opposition of "read files" in a list of things it can do to "work outside the working directory" as seemingly-generic term which actually excludes reads is bound to confuse and surprise.