Full Report
A previously unknown vulnerability in OpenAI ChatGPT allowed sensitive conversation data to be exfiltrated without user knowledge or consent, according to new findings from Check Point. "A single malicious prompt could turn an otherwise ordinary conversation into a covert exfiltration channel, leaking user messages, uploaded files, and other sensitive content," the cybersecurity company said in
Analysis Summary
# Vulnerability: OpenAI ChatGPT Covert DNS Exfiltration via Linux Runtime
## CVE Details
- **CVE ID**: Not explicitly listed (Internal tracking by OpenAI/Check Point)
- **CVSS Score**: Not provided (Estimated High/Critical based on data exfiltration and RCE potential)
- **CWE**: CWE-748 (Information Leak Through Debugging Printable Messages) / CWE-807 (Reliance on Untrusted Inputs in a Security Decision)
## Affected Systems
- **Products**: OpenAI ChatGPT
- **Versions**: All versions prior to February 20, 2026.
- **Configurations**: Systems utilizing the Code Execution Runtime (Data Analysis/Advanced Data Analysis features).
## Vulnerability Description
The flaw resides in the Linux runtime environment used by ChatGPT for executing code and performing data analysis. While OpenAI implements guardrails to prevent direct outbound network requests (HTTP/HTTPS), the research identified a side channel within the environment's DNS resolution process.
Attackers can encode sensitive data (such as conversation history, uploaded files, or environment variables) into DNS queries. These queries bypass traditional AI guardrails because the system incorrectly assumed the environment was network-isolated. Furthermore, this hidden communication path could be leveraged to establish a remote shell, leading to unauthorized command execution within the sandbox.
## Exploitation
- **Status**: PoC available (Discovered by Check Point Research); no evidence of exploitation in the wild.
- **Complexity**: Medium (Requires crafting a malicious prompt or a backdoored Custom GPT).
- **Attack Vector**: Network (Remote via malicious prompt injection).
## Impact
- **Confidentiality**: High (Ability to silently exfiltrate user prompts, files, and session data).
- **Integrity**: Medium (Potential for command execution within the runtime environment).
- **Availability**: Low (The primary impact is data theft rather than service denial).
## Remediation
### Patches
- **OpenAI Update**: A server-side patch was deployed on **February 20, 2026**. Users do not need to take action for the web or official mobile applications as the fix was applied to the backend infrastructure.
### Workarounds
- **Prompt Sanitization**: Organizations should use independent security layers to filter for prompt injection.
- **Vetting Custom GPTs**: Users should avoid using third-party Custom GPTs from untrusted sources, as the malicious logic can be "baked in."
## Detection
- **Indicators of Compromise**:
- Presence of unusual, encoded subdomains in DNS logs originating from AI runtime environments (e.g., `<encoded_data>.attacker-domain.com`).
- Prompts that attempt to invoke system-level commands or network-diagnostic tools (like `nslookup` or `dig`) within the data analysis sandbox.
- **Detection Methods**: Monitor for "Prompt Poaching" patterns where large amounts of data are requested to be processed or summarized in conjunction with suspicious outbound logic.
## References
- **Check Point Research**: hxxps[://]research[.]checkpoint[.]com/2026/chatgpt-data-leakage-via-a-hidden-outbound-channel-in-the-code-execution-runtime/
- **The Hacker News**: hxxps[://]thehackernews[.]com/2026/03/openai-patches-chatgpt-data[.]html
- **OpenAI Support - Data Analysis**: hxxps[://]help[.]openai[.]com/en/articles/8437071-data-analysis-with-chatgpt