OpenAI Fixes Critical ChatGPT Data Leak Flaw & Codex GitHub Token Vulnerability, Raising Broader AI Security Concerns #AI

OpenAI has patched two significant security vulnerabilities affecting its widely used artificial intelligence platforms, ChatGPT and Codex, following responsible disclosures from cybersecurity researchers. While there is no evidence that either flaw was exploited in real-world attacks, experts say the incidents highlight systemic risks as AI systems evolve into full-scale computing environments.

The first vulnerability, identified by Check Point researchers, exposed a novel method for silently extracting sensitive user data from ChatGPT sessions without user awareness.

According to the Check Point Report, attackers could craft a single malicious prompt capable of transforming a normal interaction into a covert data exfiltration channel. This technique allowed access to:

• User messages
• Uploaded documents
• Potentially sensitive contextual data

The attack bypassed ChatGPT’s built-in safeguards by exploiting a previously unrecognized side channel within its Linux-based execution environment.

Rather than relying on traditional network requests—which are typically restricted—the exploit leveraged a DNS-based covert communication mechanism. By encoding data into DNS queries, attackers could transmit information externally without triggering security warnings or requiring user consent.

Researchers emphasized that this behavior remained effectively invisible: The system assumed the execution environment was isolated, meaning it did not interpret the activity as external data transfer.

The vulnerability also amplified the risk posed by custom GPTs, which allow users to create tailored AI agents.

Instead of convincing users to manually paste malicious prompts, attackers could embed harmful logic directly into these custom configurations—turning them into persistent, stealthy attack vectors.

In practical terms, a user might be tricked with a seemingly benign instruction, such as:

• Unlocking hidden features
• Improving performance
• Accessing premium capabilities

Behind the scenes, however, the AI could begin leaking data through the covert DNS channel.

OpenAI addressed the issue on February 20, 2026, after responsible disclosure. The company stated that there is no indication of active exploitation, though the nature of the flaw has raised concerns about detection limitations.

Such vulnerabilities create “blind spots” in AI systems, where neither users nor the platform can easily detect misuse.

The findings arrive at a time when AI tools like ChatGPT are increasingly embedded in enterprise workflows, often handling:

• Proprietary business data
• Customer information
• Internal communications

It is recommend that organizations should implement layered security architectures, including:

• Independent monitoring of AI interactions
• Prompt injection defenses
• Data loss prevention (DLP) controls
• Isolation of sensitive workflows

The disclosure also coincides with a growing trend identified by security researchers: malicious or compromised browser extensions capable of siphoning chatbot conversations.

Such tools can silently collect:

• Credentials
• Intellectual property
• Personally identifiable information

These risks extend beyond individuals to organizations, where compromised endpoints could expose entire datasets or internal systems.

In a separate but equally serious finding, researchers from BeyondTrust uncovered a command injection vulnerability in OpenAI’s Codex platform.

The flaw allowed attackers to manipulate the system via a GitHub branch name parameter, enabling execution of arbitrary commands inside Codex’s cloud environment.

The vulnerability stemmed from insufficient input sanitization in backend API requests. By crafting a malicious branch name, attackers could:

1. Inject commands into Codex task execution
2. Run payloads inside a containerized environment
3. Extract sensitive authentication credentials

Most notably, attackers could steal:

• GitHub User Access Tokens
• GitHub Installation Tokens

These tokens grant extensive permissions, including read/write access to repositories.

The attack could be triggered through normal developer activity. For example:

• A malicious branch is created
• A pull request references Codex (e.g., via @codex)
• Codex automatically initiates a code review
• The injected payload executes and exfiltrates data

This creates a highly scalable attack vector, particularly in collaborative or open-source environments.

OpenAI fixed the Codex vulnerability on February 5, 2026, following its disclosure in December 2025.

Affected systems included:

• ChatGPT web interface
• Codex CLI
• Codex SDK
• Codex IDE integrations

Both vulnerabilities point to a deeper issue: AI agents are becoming privileged intermediaries between users and critical systems.

Unlike traditional software, these agents:

• Execute code dynamically
• Interact with external services
• Operate with high levels of trust and automation

This makes them attractive targets for attackers seeking lateral movement into enterprise environments.

Taken together, the discoveries reinforce a broader shift in cybersecurity thinking. AI systems are no longer just tools—they are active participants in computing environments, with access to sensitive data and operational capabilities.

Key lessons emerging from the incidents include:

• AI guardrails can be bypassed through indirect channels
• Input validation remains critical—even in AI-driven systems
• Trusted integrations (e.g., GitHub) can become attack vectors
• Visibility into AI behavior is still limited

While OpenAI’s swift response prevented known exploitation, the incidents underscore the need for a proactive, security-first approach to AI deployment.

Organizations adopting AI technologies are now being urged to:

• Treat AI systems as part of their core attack surface
• Implement zero-trust principles for AI interactions
• Continuously audit AI-integrated workflows

As AI continues to integrate into software development, enterprise operations, and daily life, these vulnerabilities serve as an early warning: the future of cybersecurity will be inseparable from the security of AI itself.