ChatGPT's Hidden DNS Channel Let Malicious GPTs Silently Steal Uploaded Files
Check Point Research disclosed a vulnerability in ChatGPT's code execution sandbox that allowed uploaded files, conversations, and medical records to be silently exfiltrated through DNS queries. A separate flaw in OpenAI Codex enabled GitHub token theft via malicious branch names. Both were patched in February 2026.
VaultTools · April 8, 2026
Photo on Unsplash
Table of Contents
- What happened
- How the DNS channel worked
- Proof of concept: medical records exfiltrated in real time
- A second flaw: Codex GitHub token theft
- What this means for file processing
- Sources
What Happened
On March 30, 2026, Check Point Research publicly disclosed a vulnerability in ChatGPT’s code execution sandbox that allowed silent exfiltration of user data, including uploaded files, conversation text, and AI-generated summaries. OpenAI’s own security documentation stated that the runtime “cannot generate direct outbound network requests.” That claim was technically correct but practically incomplete: DNS resolution remained open, and it was enough.
Check Point described the flaw as a “hidden exfiltration channel” that “a single malicious prompt could activate inside a regular ChatGPT conversation.” OpenAI confirmed it had “already identified the underlying problem internally” and deployed a fix on February 20, 2026.
Separately, BeyondTrust’s Phantom Labs disclosed a command injection vulnerability in OpenAI Codex, reported on December 16, 2025, and patched on February 5, 2026.
How the DNS Channel Worked
ChatGPT’s Data Analysis environment runs user code in an isolated Linux container. Standard HTTP and TCP connections to external hosts are blocked. However, the container still performed DNS lookups as part of normal system operations.
Check Point researchers exploited this gap by encoding stolen data into DNS-safe fragments, placing them as subdomains in queries directed at an attacker-controlled domain. On the attacker’s side, incoming DNS queries were logged and the fragments reassembled into the original payload.
The channel was bidirectional. Instructions could be sent back through DNS responses, meaning “a process running inside the container could then read those responses, reassemble the payload, and continue the exchange.” This enabled not only data theft but full remote shell access inside the container, all invisible to the user and bypassing ChatGPT’s safety filters entirely.
Proof of Concept: Medical Records Exfiltrated in Real Time
Check Point built a custom GPT disguised as a health analyzer. A test user uploaded a PDF containing laboratory results with personal identifying information. ChatGPT processed the document and assured the user that the file “was only stored in a secure internal location.” Meanwhile, the malicious GPT had already transmitted “the patient’s identifying details together with the model’s assessment” to a remote server.
The attack required no technical skill from the victim. Two delivery methods were demonstrated. In the first, a user was tricked into pasting a prompt advertised as a “productivity trick” that contained hidden exfiltration logic. In the second, a backdoored custom GPT embedded the exfiltration code in its system instructions, activating automatically during normal conversation.
The researchers emphasized four properties that made the flaw dangerous: invisibility (no warnings or approval dialogs appeared), ease of distribution (via social engineering or GPT Store listings), sensitive data exposure (medical records, financial documents, conversation history), and persistence (every subsequent message in the session was compromised once the malicious prompt was injected).
A Second Flaw: Codex GitHub Token Theft
BeyondTrust’s Phantom Labs separately identified a command injection vulnerability in OpenAI Codex. The flaw stemmed from improper input sanitization when processing GitHub branch names during cloud-based task execution. An attacker could craft a malicious branch name that injected arbitrary commands into the Codex agent’s container, retrieving the GitHub User Access Token and gaining read/write access to the victim’s entire codebase.
The vulnerability affected the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE extension. It was reported on December 16, 2025, and patched on February 5, 2026. OpenAI stated there is no evidence either flaw was exploited in the wild.
What This Means for File Processing
Both vulnerabilities share a common root: files and code were uploaded to a cloud environment where the user had no visibility into what happened after submission. ChatGPT’s sandbox was designed to be isolated, and OpenAI’s documentation said it was. The DNS channel proved otherwise.
Every file uploaded to a cloud AI service passes through infrastructure the user cannot inspect or audit. The DNS exfiltration flaw is a concrete demonstration of how sensitive documents (medical records, legal contracts, financial statements) can leave a “secure” environment through channels that were never anticipated in the threat model.
Client-side processing eliminates this attack surface entirely. When a file is processed in WebAssembly inside the browser, there is no container to escape from, no DNS resolver to abuse, and no remote server that ever receives the file. The processing logic runs in a sandbox controlled by the browser itself, with no network access of any kind. The file stays on the device because it was never sent anywhere.
For users handling sensitive documents, the question is not whether cloud providers will find and patch every side channel. It is whether the file needed to leave the device in the first place.
Sources
- ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime (Check Point Research)
- OpenAI ChatGPT fixes DNS data smuggling flaw (The Register)
- OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability (The Hacker News)
- When AI Trust Breaks: The ChatGPT Data Leakage Flaw That Redefined AI Vendor Security Trust (Check Point Blog)
- OpenAI Codex Command Injection Vulnerability (BeyondTrust)
- OpenAI Codex vulnerability enabled GitHub token theft via command injection (SiliconANGLE)
- Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise (SecurityWeek)