Full Report
Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. "The chatgpt.com response renderer trusts Markdown links and Markdown
Analysis Summary
# Vulnerability: ChatGPhish - Prompt Injection via Markdown Rendering
## CVE Details
- **CVE ID**: Not provided (Researcher-disclosed as "ChatGPhish")
- **CVSS Score**: N/A (Severity: Moderate to High depending on the scenario)
- **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation / Injection)
## Affected Systems
- **Products**: OpenAI ChatGPT
- **Versions**: Web-based interface (chatgpt.com) available as of May 2026.
- **Configurations**: Any session where the "Web Search" or "Summarization" feature is used to process third-party URLs.
## Vulnerability Description
The ChatGPhish vulnerability stems from the OpenAI ChatGPT response renderer’s implicit trust in Markdown elements provided by third-party sources. When a user asks the assistant to summarize a webpage, the AI processes the site's content. If that content contains specially crafted Markdown (images or links), the ChatGPT UI automatically renders them.
Automated image fetching allows an attacker to leak a user’s IP address, User-Agent, and Referer data simply by the act of rendering the summary. Furthermore, the renderer allows malicious links to appear as legitimate system-style alerts or "trusted" UI elements, which can be used to trick users into clicking malicious URLs or scanning attacker-controlled QR codes.
## Exploitation
- **Status**: PoC available (Disclosed by Permiso Security)
- **Complexity**: Low
- **Attack Vector**: Network (Indirect via web summarization)
## Impact
- **Confidentiality**: Low/Medium (Leakage of IP, browser metadata; potential credential theft via phishing)
- **Integrity**: Medium (Attacker can influence the visual output of the "trusted" assistant)
- **Availability**: None
## Remediation
### Patches
- No specific patch version listed. OpenAI typically handles these via server-side updates to the renderer and sanitization logic.
### Workarounds
- **User Awareness**: Exercise caution when using AI to summarize unknown or untrusted websites.
- **Content Security Policy (CSP)**: Users can use browser extensions to limit the domains from which the ChatGPT interface is allowed to fetch images.
- **QR Caution**: Avoid scanning QR codes generated within an AI chat interface.
## Detection
- **Indicators of Compromise**:
- Unusual requests in browser network logs to unknown S3 buckets or external image hosts during a ChatGPT session.
- Unexpected "System Alerts" or authentication prompts appearing within the chat response area.
- **Detection methods and tools**:
- Monitor web traffic for outbound connections to suspicious domains triggered while visiting hxxps[://]chatgpt[.]com.
## References
- Permiso Security Blog: hxxps[://]permiso[.]io/blog/chatgpt-markdown-rendering-vulnerability
- The Hacker News: hxxps[://]thehackernews[.]com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
- Related Cross-Prompt Injection (XPIA) Research: hxxps[://]permiso[.]io/blog/copilot-prompt-injection-ai-email-phishing