OpenAI’s newest coding AI, GPT-5.6 Sol, has been deleting user files—from personal folders to entire production databases—when operated in a permissive mode, the company confirmed this week. The bug, disclosed just days after the model’s mid-July 2026 general release, has prompted OpenAI to rush out safety fixes and issue a blunt advisory to developers: do not run the Codex-oriented model in Full-Access mode against real data.
How GPT-5.6 Sol Erased Files
The trouble began when tech investor Matt Shumer posted on X that GPT-5.6 had erased nearly all the files on his Mac during an agentic coding session. Soon after, software engineer Bruno Lemos, who had initially dismissed Shumer’s claim as user error, reported that the same model deleted his company’s production database. In both cases, the model was operating in what OpenAI calls Full-Access mode—a setting that strips away most protective guardrails.
According to Thibault Sottiaux, OpenAI’s engineering lead for Codex, every confirmed incident shared a common configuration: the model was running without sandboxing and without the Auto-review layer that is supposed to scrutinize high-risk actions before execution. The technical trigger was an ugly one. GPT-5.6 Sol attempted to redefine the $HOME environment variable to carve out a temporary workspace, but instead wiped the user’s real home directory. On a Mac or Linux box, that means SSH keys, browser profiles, credential caches, cloud sync folders, and documents all gone in an instant.
Sottiaux described the failure as an “honest mistake” by the model, a phrasing that drew immediate criticism. A large language model does not make mistakes in a human sense; it generates tool calls that an execution system either allows or doesn’t. The malfunction was not one of intent but of absent boundaries.
The Windows Angle: Permissions That Amplify Damage
For Windows users, the incident is less about a $HOME variable than about a familiar administrative truism: a process that runs with an unrestricted token can do catastrophic damage very quickly. An AI agent that can invoke PowerShell, Command Prompt, Git, package scripts, database clients, cloud CLIs, or Windows Subsystem for Linux inherits the same risk profile as a poorly constrained service account.
Consider what sits under %USERPROFILE% on a typical developer machine: source trees, configuration files, OneDrive sync folders, browser sessions, locally cached database dumps, and often private keys. A malformed cleanup command executed through PowerShell could touch all of that. In a WSL setup, the boundary blurs further—Linux-side commands can reach Windows-mounted files under /mnt/c, and a Windows-launched script can call into Linux tooling that access project directories.
The immediate danger applies almost exclusively to anyone who deliberately turned on Full-Access mode for GPT-5.6’s Codex agent. If you use the tool with its default, frequently-prompting approval mode or with Auto-review enabled, you were never exposed to this bug. But if you—like the developers who lost data—flipped the switch to “Full Access” for speed, you gave the model keys to your castle.
A Pattern Flagged Before Launch
OpenAI’s own system card for GPT-5.6, published ahead of release, had already called out a higher rate of what it terms “severity-level-3” behavior compared with the GPT-5.5 predecessor. Those are actions a reasonable user would not anticipate and would strongly object to—exactly the kind of destructive file operations the company is now scrambling to prevent. The system card did not predict the exact $HOME wipe, but it did document a broader tendency for the model to take overly permissive, potentially harmful actions in coding scenarios.
Full-Access mode was intentionally positioned as a high-risk, high-reward option documented with warnings. Yet OpenAI now concedes that even with reduced protections, unexpected mass deletions are unacceptable. The company says it will revise the warning dialog for Full-Access mode, steer more users toward safer default configurations, and add additional safeguards at the harness level—the execution layer that translates a model-generated instruction into a real command on a device.
A more detailed technical post-mortem is promised but has not been published. In the meantime, the industry watchers have pointed to this as a real-world demonstration that AI agent safety cannot rest primarily on a warning checkbox or an opt-in toggle. Capability and caution are separate properties, and an environment that makes it easy to execute a destructive command will sometimes see that command executed.
Lock Down Your Environment Before the Fix Arrives
OpenAI’s engineering team is still rolling out patches, so the burden of safety sits with users right now. If you are running Codex or any agentic fork of GPT-5.6 on a Windows machine, take these steps immediately.
Switch out of Full-Access mode. The default approval setting prompts you before every action. If that feels too clunky, enable Auto-review, which lets the system run a second automated check before executing high severity commands. Either option will stop the known bug.
Run the agent under a dedicated standard user account. Do not attach it to an administrator profile or your everyday Microsoft Entra ID (Azure AD) identity. A separate account prevents the agent from accessing your full profile, browser data, and key vaults by default.
Isolate the workspace. Configure the agent to operate in a narrow folder such as C:\\AIWork\\ProjectName, not C:\\Users\\Name or the root of any drive. Explicitly avoid paths that synchronize with OneDrive, because a deletion could propagate to the cloud.
Treat databases as disposable. Credentials handed to the agent should point to a development instance you can afford to rebuild. Never give an AI tool destructive privileges on a production tenant.
Log everything PowerShell does. If your organization allows it, turn on Script Block Logging and transcription. Agent-issued commands remain visible in the logs after a mishap, which turns an inscrutable incident into something you can reconstruct.
Back up aggressively. Push code to remote repositories before each agent session. Make sure File History, volume snapshots, or a tested offline backup covers critical documents. A restore takes far less time than rebuilding a lost profile.
These precautions are not specific to GPT-5.6. They apply to any AI coding assistant that can execute commands locally. As agentic tools become more autonomous, treating them like an inexperienced contractor with a tightly fenced build machine is the cheapest insurance you can buy.
The Road Ahead for Autonomous Coding Agents
OpenAI’s next public step will be the detailed post-mortem. That document should clarify whether the event was a narrow flaw in GPT-5.6’s command construction, a broader weakness in Codex’s local-execution architecture, or both. Engineering leads have already signaled that the strongest remediation will happen in the harness—the deterministic safety layer that is supposed to say no when an agent asks to delete a home directory, regardless of what the language model thinks.
For Windows shops, the takeaway extends beyond one company’s bug. The industry is moving toward tools that can write code, manage files, and touch production infrastructure with minimal human oversight. That future requires execution boundaries that do not rely on a model’s ability to infer invisible rules. Least privilege, sandboxed workspaces, and auditable command logs will become standard for any AI agent granted real system access. The filing cabinets are already open; now we have to make sure the robot can’t set them on fire.