CRITICAL: ChatGPT's Hidden Data Leak: How OpenAI's Code Execution Runtime Became a Covert Exfiltration Channel

If you have been pasting sensitive information into ChatGPT thinking it stays safely contained within your conversation, you might want to sit down for this one. Security researchers at Check Point have revealed a previously unknown vulnerability in OpenAI's flagship AI assistant that could have allowed malicious actors to silently siphon your conversations, uploaded files, and other sensitive data without triggering any warnings or requiring your consent. The flaw was patched on February 20, 2026, but the implications for how we think about AI security are far from resolved.

The vulnerability is particularly insidious because it exploits a fundamental assumption that many users and even security professionals make about ChatGPT. When you interact with the AI, especially when using its code execution and data analysis features, you naturally assume that the sandbox is isolated. No outbound network connections. No way for data to escape the conversation. OpenAI built multiple guardrails to enforce exactly this behavior, and for the most part, they work as intended. But security researchers love finding the exceptions, and Check Point found a big one.

The attack leverages what researchers describe as a covert transport mechanism hiding in plain sight. While ChatGPT's sandbox blocks direct outbound network requests, it still needs to perform DNS lookups as part of normal operation. DNS, the system that translates domain names to IP addresses, becomes the escape hatch. By encoding sensitive information directly into DNS query strings, an attacker could exfiltrate data through a channel that the AI system never recognized as an external data transfer. The DNS requests looked completely normal from the sandbox's perspective, but every query was actually carrying fragments of your conversation to an attacker-controlled server.

What makes this particularly dangerous is how invisible it was to users. Because the AI model operated under the assumption that its environment could not send data outward directly, it never flagged the behavior as suspicious. There was no warning dialog. No approval prompt. No indication whatsoever that your data was leaving the conversation. From the user's perspective, everything looked completely normal while their sensitive information was being quietly siphoned away.

The attack vector becomes even more concerning when you consider how it could be weaponized. A simple social engineering trick could convince a user to paste a malicious prompt into their ChatGPT session. The prompt might claim to unlock premium features or improve performance, a classic bait that has worked since the early days of computing. But the real damage comes from custom GPTs, where the malicious logic could be baked directly into the application. Users who trust and regularly interact with a compromised custom GPT would have their conversations continuously exfiltrated without ever needing to paste anything suspicious.

Check Point's Eli Smadja put it bluntly in his statement to researchers. This research reinforces a hard truth for the AI era. Do not assume AI tools are secure by default. It is advice that should be tattooed on the foreheads of every enterprise IT leader who has been cheerfully uploading sensitive company data to AI assistants without implementing any additional security layer.

The ChatGPT data exfiltration flaw was not the only security issue OpenAI has been quietly patching. BeyondTrust's Phantom Labs team discovered a critical command injection vulnerability in OpenAI Codex, the company's cloud-based software engineering agent that helps developers write and review code. This one is a textbook example of how AI agents, with their privileged access to development environments, can become attack vectors that traditional security controls never anticipated.

The vulnerability exists in how Codex processes task creation requests, specifically in how it handles GitHub branch names. Because the input was not properly sanitized, an attacker could smuggle arbitrary commands through the branch name parameter in API requests. Once inside the agent's container, those commands could execute malicious payloads and, most critically, steal GitHub User Access Tokens. These are the same tokens Codex uses to authenticate with GitHub, meaning a successful attack grants the same level of access that Codex itself has.

BeyondTrust's Kinnaird McQuade described the impact succinctly. The attack granted lateral movement and read/write access to a victim's entire codebase. Think about what that means in a shared repository environment. One compromised developer interacting with a malicious branch could expose the authentication tokens of everyone else working on that repository. The attack surface scales with the size of the development team.

The researchers also demonstrated how the same technique could be extended beyond individual user tokens. By triggering Codex through GitHub PR comments, they were able to execute bash commands on code review containers and steal GitHub Installation Access tokens. These tokens provide even broader access, potentially affecting entire organizations rather than individual developers.

OpenAI patched the Codex vulnerability on February 5, 2026, after it was reported in December 2025. The fix affects the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE Extension. If you are using any of these tools, you are already protected. But the broader lesson here extends far beyond a single patched vulnerability.

Both of these vulnerabilities highlight a security reality that the industry is still grappling with. AI agents are no longer just chatbots that answer questions. They are becoming full computing environments that handle sensitive data, execute code, authenticate to third-party services, and operate with privileged access that would make any security auditor nervous. The security models we have built for traditional software do not always translate cleanly to these new paradigms.

The ChatGPT vulnerability exploited assumptions about network isolation that seemed reasonable when the sandbox was designed. The Codex vulnerability exploited assumptions about input sanitization that would have been caught in a traditional code review but slipped through because the attack vector, malicious branch names, was not on anyone's threat model. In both cases, the AI systems were doing exactly what they were designed to do. They just were not designed with these specific attack scenarios in mind.

BeyondTrust's analysis captures the urgency well. As AI agents become more deeply integrated into developer workflows, the security of the containers they run in and the input they consume must be treated with the same rigor as any other application security boundary. The attack surface is expanding, and security needs to keep pace.

For enterprises that have been enthusiastically adopting AI tools, these vulnerabilities serve as a wake-up call. Native security controls provided by AI vendors are necessary but not sufficient. Organizations need independent visibility and layered protection between themselves and the AI services they consume.

Start by auditing how AI tools are being used across your organization. What sensitive data is being uploaded to ChatGPT or similar services? Are developers using AI coding assistants with access to production repositories? Have any custom GPTs been deployed without security review? The answers might be uncomfortable, but ignorance is not a defense.

Consider implementing monitoring solutions that can detect unusual patterns in AI tool usage. Prompt injection attacks, data exfiltration attempts, and other AI-specific threats require AI-aware security tools. Traditional DLP solutions were not designed to monitor DNS-encoded data exfiltration from AI sandboxes.

For development teams using AI coding assistants, ensure that the tokens these tools use have the minimum necessary permissions. A code review agent does not need write access to production branches. Apply the principle of least privilege as aggressively as you would for any other automated tool with repository access.

Finally, stay informed. AI security is evolving rapidly, and the threat landscape is evolving with it. The vulnerabilities disclosed today will be patched, but the underlying attack patterns will continue to appear in new forms. Exploiting sandbox assumptions, weaponizing privileged access, and using side channels for data exfiltration are techniques that attackers will refine and reuse. Building organizational awareness is as important as any technical control.

The age of AI-powered productivity is here, and it is bringing AI-powered risks along with it. The organizations that thrive will be the ones that embrace both realities.