CHECK Point Research disclosed a hidden outbound communication path from ChatGPT’s isolated execution runtime to the public internet, enabling silent exfiltration of chat content, uploaded files, and other sensitive data. They showed how a single malicious prompt could turn an ordinary conversation into a covert data channel, with the attack potentially harvesting not only user messages but also model-generated outputs such as summaries or medical assessments.
The researchers demonstrated that the same channel could be used to establish remote shell access inside the Linux environment ChatGPT uses for code execution and data analysis, bypassing normal safety checks. The technique relies on DNS tunneling, using DNS resolution to carry encoded data out of the container and back in, even though conventional outbound internet access is blocked. OpenAI confirmed that the underlying issue had been identified and a fix was deployed on 20 February 2026.
According to OpenAI, safeguards like explicit user approval for external API calls and the secure Data Analysis runtime are designed to limit such outbound transfers, but the researchers caution that AI systems now function as real execution environments with expansive attack surfaces.