CVE-2025-7021 MEDIUM

CVE-2025-7021: OpenAI Operator - API Spoofing through Locking Operator on FullScreen

Vendor Openai
Product Operator
Weakness CWE-451
Published July 10, 2025
Last update July 10, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site.

Key dates

02Disclosure timeline

July 10, 2025 CVE published
July 10, 2025 Record updated

Related vulnerabilities

04Related CVE