On July 17, 2026, OpenAI acknowledged that its latest coding model, GPT-5.6 Sol, can inadvertently erase files — including entire home directories — when used through the Codex agent in Full Access mode. The admission follows a series of alarming incidents where developers lost critical data after the AI misinterpreted a path variable during routine workspace setup, as first reported by The Independent and corroborated by TechCrunch.

What Actually Happened

OpenAI product lead Thibault Sottiaux investigated “a handful” of reported cases and confirmed a common pattern. When GPT-5.6 Sol creates a temporary workspace, it can attempt to redefine the $HOME environment variable. In certain configurations, it then mistakenly deletes the real home directory instead of the intended temporary one. On macOS and Linux, this wipes a user’s entire profile. On Windows, the comparable danger zone includes %USERPROFILE%, mapped drives, synced OneDrive folders, repositories, and any working directory that holds credentials.

The trigger was not a malicious command from the user, nor an explicit rm -rf instruction. It was a misinterpretation of a file system path during what should have been a benign operation. The incidents documented by developer Bruno Lemos and AI entrepreneur Matt Shumer ranged from erased project files to a production database being wiped, underscoring the severity.

Why Full Access Mode Turned a Productivity Tool into a Data Wrecker

Codex operates under three approval modes defined in OpenAI’s documentation:
- Suggest: Reads files and proposes changes; user must approve all edits and commands.
- Auto Edit: Can write files but still prompts before executing shell commands.
- Full Auto: Designed for autonomous work inside a sandboxed, network-disabled environment limited to the current directory.

The file-deletion incidents all occurred when users escalated beyond the safer defaults: they activated Full Access mode, removed sandbox protections, and disabled the Auto Review gate. In that state, the AI agent can execute arbitrary commands, manipulate environment variables, and traverse the file system unchecked. The $HOME bug is just one manifestation of a broader risk: an entirely unsupervised agent with the keys to your machine.

Even without Hollywood-style “rogueness,” an AI that can run PowerShell, alter environment variables, clear folders, invoke Git cleanup commands, or manipulate WSL files has more than enough authority to cause irreversible damage. It only takes one wrong path.

The Windows Risk Profile: More Than Just a Home Directory

The highest-profile cases involved Mac and Linux home directories, but a Windows workstation can expose equally consequential targets:

  • A Codex session that writes outside a cloned repository into %USERPROFILE%, Desktop, Documents, or a synced OneDrive folder.
  • A terminal running with elevated Administrator privileges, granting access to privileged PowerShell modules and cloud CLI credentials.
  • A WSL distribution whose Linux home directory is reachable from Windows, or whose mounted drives expose broad NTFS paths.
  • A developer workstation storing production database credentials, deployment secrets, or active VPN connections.
  • A shared build or jump host where an agent can see multiple projects, network shares, and service-account material.

A developer who opens a repository inside OneDrive may be one erroneous bulk deletion away from replicating the damage across a collaboration environment. Local .env files, cached cloud tokens, and SSH private keys can turn a workstation-level mistake into an infrastructure breach. The agent doesn’t need to “go rogue” — it just needs to be wrong about one path.

How We Got Here: The Rush Toward Autonomous Coding Agents

OpenAI previewed GPT-5.6 Sol in late June, positioning it for complex coding, cybersecurity, computer-use, and research workflows. The model was explicitly designed to handle long-running, multi-step tasks with minimal supervision — a leap from earlier copilot-style assistants. Codex, the programming agent framework, was meant to embody that autonomy.

Yet even the preview materials acknowledged that no evaluation can cover every real-world workflow or multi-step failure. That caveat is now playing out in practice. The push for agents that control computers directly — not just suggest code — has amplified the blast radius of any reasoning error. A model that recommends a bad command is annoying; a model that executes it across a user profile or production-connected workstation is an incident.

For IT professionals, this pattern is familiar. Production automation long ago adopted least privilege, scoped service accounts, change control, dry runs, immutable backups, and rollback plans precisely because automated tools can fail catastrophically. AI agents don’t eliminate those disciplines — they make them more urgent.

What to Do Now: Immediate Safeguards for Windows Users

The core lesson is not to stop using AI coding tools; it is to stop treating them as trusted operators. Here are concrete steps for Windows users and administrators:

1. Isolate the Agent’s Workspace

  • Use a dedicated virtual machine, Windows Sandbox, Hyper-V, Dev Box, or Azure Virtual Desktop test instance.
  • If using WSL, lock it down so the agent cannot traverse into the Windows file system via /mnt.
  • Never give the agent write access outside the current project directory. Bind mounts in containers must be narrowly scoped — mounting your user profile or a broad drive recreates the problem under a different label.

2. Restore Approval Gates

  • Revert to Suggest or Auto Edit mode. Require explicit human approval for any shell command, environment variable change, or file deletion outside the repository.
  • Disable Full Access and Auto Review bypass. These settings exist for sandboxed, network-disabled conditions; they are not safe for a real workstation.

3. Strip Away Production Credentials

  • Do not store production .env files, SSH keys, or cloud tokens on a development machine where an agent can read them.
  • If a task needs database access, point it at a scrubbed local copy, a disposable test tenant, or a narrowly scoped dev account.
  • Disconnect active VPN sessions and cloud CLI logins before running autonomous agents.

4. Make Version Control and Backups Non-Negotiable

  • Commit frequently and push to a remote repository. Git will preserve tracked source changes, but it won’t save untracked files, credentials, databases, or synced cloud folders.
  • Pair Git with versioned, immutable backups of your entire development environment. A backup is not a substitute for containment — it’s the safety net after containment has already failed.

5. For IT Administrators: Enforce Guardrails

  • Use Group Policy or endpoint management to block AI agents from running with elevated rights.
  • Restrict execution of untrusted scripts in user profile directories.
  • Monitor for agents that attempt to access or modify environment variables, delete large numbers of files in quick succession, or traverse sensitive paths like %USERPROFILE% and OneDrive.

Outlook: Waiting for OpenAI’s Safeguard Overhaul

OpenAI has stated it will revise developer messaging around Full Access, encourage safer configurations, and add additional safeguards. No post-mortem has been published yet, nor have the promised changes been tested in the wild. Until the company demonstrates that a temporary-directory mistake cannot again become a home-directory deletion, GPT-5.6 Sol should be run only in tightly constrained environments.

The real milestone isn’t a better prompt or a more capable model. It’s proving that an AI coding agent can handle autonomous tasks without holding the keys to the kingdom.