RepoJournal
OpenAI

OpenAI

Codex, the SDKs, and the engine behind ChatGPT

Pick a date

  1. Sat 2 may
  2. Sun 3 may
  3. Mon 4 may
  4. Tue 5 may
  5. Wed 6 may
  6. Thu 7 may
  7. Fri 8 may
  8. Sat 9 may
  9. Sun 10 may
  10. Mon 11 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Wed 20 may
  18. Thu 21 may
  19. Sat 23 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

CODEX CLOSES WINDOWS SANDBOX VULNERABILITY AS PLUGIN SYNC GOES LIVE

By RepoJournal · Filed · About OpenAI

A critical Windows named-pipe ACL bypass in the elevated sandbox is patched [ref:1], while remote plugin bundle synchronization ships to keep installations in sync across backends [ref:2].

The Windows sandbox fix [1] closes a privilege escalation window where elevated Codex processes could access named pipes created by build tools like Ninja without proper restrictions. The patch adds elevated-only token constructors that lock down the restricted SID list — a sharp security move that leaves the unelevated path untouched, minimizing blast radius. Meanwhile, remote plugin bundle syncing [2] now downloads and upgrades cached plugin bundles during app-server startup, keeping local installations aligned with backend versions without polluting config.toml. On the analytics front [4], remote plugin installs now emit proper telemetry that preserves marketplace identity while correctly tagging backend-sourced plugins, giving ops real visibility into plugin adoption patterns. Vim mode lands in the TUI composer [5], letting modal editors stop fighting Codex keybindings and stay in muscle memory during prompt drafting. One note: the thread/turns/list API [3] is deliberately marked experimental and pulled from public consumption — there are bugs to work out.

Action items

References

  1. [1] Windows sandbox named-pipe ACL fix
  2. [2] Remote plugin bundle sync
  3. [3] Thread/turns/list API marked experimental
  4. [4] Remote plugin install analytics
  5. [5] Vim mode in TUI composer

FAQ

What changed in OpenAI on May 1, 2026?
A critical Windows named-pipe ACL bypass in the elevated sandbox is patched , while remote plugin bundle synchronization ships to keep installations in sync across backends .
What should OpenAI teams do about it?
Deploy Windows sandbox patch [ref:1] to all elevated environments immediately • Test remote plugin bundle sync [ref:2] against your backend before general rollout • Monitor remote plugin install analytics [ref:4] for correct plugin_id override after deploy

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.