OpenAI patched a ChatGPT vulnerability on February 20, 2026, after Check Point said a malicious prompt could exfiltrate user messages, uploaded files and other sensitive data from the AI system without consent.
KEY FACTS
- Issue A hidden DNS-based channel let data leave ChatGPT’s Linux code execution runtime.
- Impact The flaw could leak conversation content, files and other sensitive material.
- Fix OpenAI addressed the problem on February 20, 2026.
- Known use Check Point said there is no evidence of malicious exploitation.
In a technical analysis, Check Point said the bug bypassed ChatGPT guardrails by encoding information into DNS requests. The company said the method created a covert transport mechanism that the system did not treat as an external data transfer.
The report said a single malicious prompt could be enough to trigger leakage, including user messages and uploaded files. It said the same channel could also be used to establish remote shell access inside the Linux runtime and reach command execution.
Check Point said the risk could be delivered through prompts that persuade users to paste malicious text, and that the threat grows when the logic is embedded in custom GPTs. The company said the flaw was disclosed responsibly and patched by OpenAI before any known abuse.
The article also noted a separate command injection flaw in OpenAI Codex that BeyondTrust said could have exposed GitHub user access tokens and repository access. That issue was patched on February 5, 2026, and affected the ChatGPT website, Codex CLI, Codex SDK and the Codex IDE Extension.
WHY IT MATTERS
The findings show how AI tools with code execution or repository access can create new paths for data theft if they are not tightly isolated. They also highlight the need for organizations to add their own controls around prompts, plugins and connected services.