OpenAI patched ChatGPT DNS exfiltration flaw and Codex command injection bug
OpenAI patched a ChatGPT vulnerability that allowed sensitive conversation data and uploaded files to be exfiltrated through a covert DNS-based outbound channel in the platform's code-execution runtime. Check Point Research said a malicious prompt or backdoored custom GPT could abuse the isolated Python/Linux environment to leak user content without approval dialogs or visible warnings, and the same path could support bidirectional communication for remote shell access and command execution. OpenAI said it had already identified the underlying issue internally and fully deployed a fix on February 20, 2026; reports said there is no evidence of malicious exploitation.
A separate OpenAI flaw in Codex also drew scrutiny after BeyondTrust Phantom Labs disclosed a critical command injection issue tied to GitHub branch names. The bug could let attackers inject commands, steal GitHub tokens, and potentially move laterally across shared repositories before OpenAI patched it on February 5, 2026. The disclosures underscore how AI assistants and coding agents can introduce new enterprise attack paths when outbound communications, runtime isolation, and input validation are not tightly controlled.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Check Point discloses ChatGPT hidden outbound channel vulnerability
Check Point Research publicly disclosed that a malicious prompt or backdoored custom GPT could abuse DNS tunneling from ChatGPT's isolated Python/Linux code-execution environment to silently leak user data. The researchers also said the same covert channel could support bidirectional communication and remote shell access inside the runtime.
OpenAI fully deploys fix for ChatGPT DNS exfiltration flaw
OpenAI fully deployed a fix for a ChatGPT vulnerability that allowed sensitive conversation data and uploaded files to be exfiltrated through a covert DNS-based outbound channel in the code-execution runtime. OpenAI said it had already identified the underlying issue internally, and there was no evidence of malicious exploitation.
OpenAI patches Codex GitHub token theft vulnerability
OpenAI fixed a critical command injection flaw in Codex that allowed attackers to inject commands via GitHub branch names, steal GitHub tokens, and potentially move laterally across shared repositories. The issue was disclosed by BeyondTrust Phantom Labs and was patched on February 5, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability
thehackernews.com
Open sourceChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime - Check Point Research
research.checkpoint.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenAI Codex CLI Command Injection Vulnerability
OpenAI addressed a critical command-injection vulnerability in its Codex CLI tool that allowed attackers to execute arbitrary commands on developer machines by hiding malicious configuration files within code repositories. The flaw, disclosed by Check Point and patched in Codex CLI version 0.23.0, exploited the way the tool automatically loaded and executed MCP server entries from project-local configuration files. If a repository contained a file that redirected the configuration directory and included a malicious MCP server command, Codex CLI would execute those commands as soon as a developer ran the Codex command, potentially compromising the system. This vulnerability turned routine developer workflows into attack vectors, as simply running Codex CLI in a tampered repository could result in the execution of hidden commands without the user's knowledge. OpenAI released a fix for the issue after being notified by Check Point, mitigating the risk of attackers hijacking developer machines through this vector. Security teams are advised to ensure all Codex CLI installations are updated to the latest version and to review repository sources before running AI-powered development tools.
Jun 29, 2026
OpenAI GPT-5.2-Codex Release and AI-Driven Vulnerability Detection
OpenAI has released GPT-5.2-Codex, a new AI model designed to enhance agentic coding and cybersecurity tasks, with notable improvements in vulnerability detection and software engineering workflows. The model demonstrates superior performance on benchmarks such as SWE-Bench Pro and Terminal-Bench 2.0, and excels in professional Capture-the-Flag challenges, supporting advanced tasks like fuzzing, attack surface analysis, and test environment setup. OpenAI has implemented stronger safeguards to mitigate dual-use risks and is offering the model to paid ChatGPT Codex users, with an invite-only pilot for vetted cybersecurity professionals focused on defensive applications. The model's capabilities have already contributed to the discovery of several critical vulnerabilities in React Server Components, including CVE-2025-55182 (RCE), CVE-2025-55183 (source code exposure), and CVE-2025-67779 (DoS), prompting urgent patching recommendations. Industry research highlights both the promise and risks of AI-generated code, with studies showing that machine-written pull requests contain significantly more bugs and security vulnerabilities than those authored solely by humans. Issues such as improper password handling, insecure object references, and cross-site scripting are notably more prevalent in AI-generated code, raising concerns about the security implications of rapid AI-driven development. These findings underscore the importance of robust review processes and the need for continued vigilance as AI tools become more deeply integrated into software engineering and cybersecurity operations.
Jun 29, 2026
ChatGPT Vulnerabilities Enable Data Exfiltration via ShadowLeak and ZombieAgent
Security researchers at Radware have uncovered critical vulnerabilities in OpenAI's ChatGPT platform, specifically targeting its Connectors and Memory features. These flaws, named ShadowLeak and ZombieAgent, allow attackers to exfiltrate sensitive data from connected services such as Gmail, Outlook, and GitHub without user interaction. The attacks exploit the AI's tendency to follow embedded malicious instructions, enabling zero-click and one-click data theft, persistent access through memory modification, and even propagation to other users by harvesting email addresses. OpenAI initially attempted to mitigate these vulnerabilities by restricting dynamic URL modifications, but researchers demonstrated effective bypasses using pre-built static URLs, reviving the threat under the new moniker ZombieAgent. The vulnerabilities highlight the inherent risks of integrating AI assistants with external systems and storing long-term user data for personalization. Attackers can embed hidden prompts in emails or files—using techniques like white text or tiny fonts—that are executed when ChatGPT processes the content, leading to stealthy data leaks via OpenAI's own servers. Despite OpenAI's efforts to patch the flaws, the reactive nature of these fixes has left the platform susceptible to new variants, underscoring the ongoing challenge of securing AI-driven services against prompt injection and data exfiltration attacks.
Jun 29, 2026