All platforms · 10 min · Upstream checked July 17, 2026

Codex CDP connection error: safe fixes

Diagnose connection refused, occupied ports, wrong renderer targets, and stale Codex CDP sessions on macOS or Windows.

Platform behavior can change. Compare this guide with the original repository at commit a1c48b3a84cc.

Quick answer

Restore the old session, confirm the endpoint is loopback-only, and identify the process that owns the port. Relaunch through the current original workflow only after stock Codex works; never bypass an unknown owner or expose CDP to the network.

01Restore the recorded theme session
02Confirm loopback port ownership
03Verify the official process and renderer
04Relaunch once and run Verify

Translate the CDP error into one failure layer

Connection refused usually means no debug endpoint is listening at the recorded address. An occupied-port error means another process already owns the requested port. A target mismatch means CDP responded, but the renderer did not belong to the expected official Codex process or did not expose the expected app markers. A disconnect after launch can indicate stale process state or a renderer reload. Record the exact message, platform, Codex version, upstream commit, port, and first failing verification step before changing anything.

Check the boundary before trying another port

The endpoint should be a loopback address such as 127.0.0.1, never a LAN address, 0.0.0.0, public host, or tunnel. Confirm the listening process is the current official Codex application or a legitimate child started by the reviewed workflow. Do not solve an identity failure by disabling the check. If the owner is unknown, Restore or stop the recorded session, close Codex normally, and investigate the port owner before relaunching.

Use the platform behavior that upstream actually documents

On macOS, the current workflow launches Codex through a user launch agent, binds CDP to loopback, validates the application identity, and accepts the port only when it belongs to Codex or a legitimate child. On Windows, the normal launcher can scan for a free port when 9335 is occupied; an explicitly requested occupied port fails closed. Windows also checks the current Store package, Browser ID, executable path, and launch-time identity instead of trusting a saved path after an app update.

Repair with a clean, verifiable session

Use the documented Restore flow, confirm stock Codex opens, then update or reinstall from the current original repository. Launch once through the normal theme entry point and run the platform verifier. Check Home, a normal Task, route navigation, native composer, sidebar, menus, and Restore. If the endpoint connects but the expected renderer remains missing, report the exact version boundary upstream instead of exposing CDP or patching the signed application.

Never expose CDP beyond loopback, attach to an unknown process, disable process-identity checks, or kill unrelated processes just to make a port available.

Completion checklist

Frequently asked questions

Why does Codex Dream Skin show a CDP connection error?

The debug endpoint may not be listening, the requested port may belong to another process, the saved session may be stale, or the renderer may no longer match the expected official Codex target.

What should I do if port 9335 is occupied?

On Windows, use the normal upstream launcher so it can choose a free port. If you explicitly requested 9335, let the workflow fail closed and identify the current owner instead of killing an unrelated process.

Can I use 0.0.0.0 to fix the connection?

No. The reviewed security boundary is loopback-only. Binding CDP to 0.0.0.0 or forwarding it through a tunnel materially increases exposure and is not a safe repair.

Related guides