Full Report
Check Point says outbound controls blocked web traffic but overlooked DNS OpenAI talks up data security for its AI services, yet Check Point says that ChatGPT allowed data to leak through a DNS side channel before the flaw was fixed.…
Analysis Summary
# Vulnerability: OpenAI ChatGPT DNS Side-Channel Data Exfiltration
## CVE Details
- **CVE ID**: Not explicitly assigned in the report (often categorized under broader Prompt Injection or Insecure Output Handling CWEs)
- **CVSS Score**: Estimated 7.5 (High)
- **CWE**: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-520 (.NET Misconfiguration: Use of DNS Monitoring)
## Affected Systems
- **Products**: OpenAI ChatGPT (specifically the Code Execution and Data Analysis runtime)
- **Versions**: All versions prior to the February 20, 2026, fix.
- **Configurations**: Environments where ChatGPT has access to sensitive uploaded files (PDFs, CSVs, etc.) and utilizes third-party custom "GPTs" or the Advanced Data Analysis feature.
## Vulnerability Description
The vulnerability stems from a flaw in ChatGPT's "sandboxed" code execution environment. While OpenAI implemented outbound controls to block direct HTTP/HTTPS web traffic to prevent data leakage, it failed to restrict or monitor DNS (Domain Name System) queries.
By using a malicious prompt or a compromised third-party GPT, an attacker could force the code execution container to encode sensitive user data (such as health records or personal info) into subdomains of an attacker-controlled URL (e.g., `[encoded-data].attacker-domain.com`). The system’s attempt to resolve these domain names functioned as an unintentional side channel, smuggling data out through the DNS resolution process, which was not subject to the same egress filtering as standard web traffic.
## Exploitation
- **Status**: PoC available (developed by Check Point Research).
- **Complexity**: Low (requires a single malicious prompt or a pre-configured malicious GPT).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: High (Allows extraction of private user files and conversation history).
- **Integrity**: Low (Does not directly modify the core model).
- **Availability**: Low (No direct impact on service uptime).
## Remediation
### Patches
- **OpenAI Fix**: OpenAI deployed a backend update on **February 20, 2026**, to close this side channel. Since ChatGPT is a Cloud/SaaS product, users do not need to manually install a patch.
### Workarounds
- **Enterprise Controls**: Organizations should use Enterprise-grade Generative AI gateways that monitor and sanitize prompts.
- **Data Minimization**: Avoid uploading highly sensitive or regulated data (PII, HIPAA-protected info) into third-party GPTs until security audits are verified.
## Detection
- **Indicators of Compromise**:
- Unusual volumes of DNS queries originating from localized AI integration environments.
- Long, randomized subdomains appearing in DNS logs (potential Base64 or Hex encoded data).
- **Detection Methods**:
- Implement DNS filtering and Inspection (DNSSEC/DPI) to identify non-standard query patterns.
- Monitor for "Out-of-Band" (OOB) interactions mediated by LLM responses.
## References
- **Check Point Research**: hxxps://research[.]checkpoint[.]com/2026/chatgpt-data-leakage-via-a-hidden-outbound-channel-in-the-code-execution-runtime/
- **OpenAI Data Analysis Documentation**: hxxps://help[.]openai[.]com/en/articles/8437071-data-analysis-with-chatgpt#h_c840590525
- **Original Reporting**: hxxps://www[.]theregister[.]com/2026/03/30/openai_chatgpt_dns_leak/