OpenAI fixed a serious security flaw in ChatGPT in February 2026 that allowed attackers to extract sensitive data like medical records and passwords through a hidden side channel, despite the company's claims that such data exfiltration was impossible. Security researchers from Check Point discovered that a single malicious prompt could activate an invisible data smuggling mechanism, completely circumventing OpenAI's stated safeguards around the chatbot's code execution environment .

How Did ChatGPT's Security Fail So Dramatically?

OpenAI has long promoted ChatGPT as a secure service with multiple layers of protection. The company explicitly states that "the ChatGPT code execution environment is unable to generate outbound network requests directly." This claim gave users and enterprises confidence that their data couldn't leak to external servers. But Check Point researchers found this wasn't entirely true .

The vulnerability exploited a gap in OpenAI's security model. While the company blocked direct internet connections from ChatGPT's code execution container, it never implemented controls on the Domain Name System (DNS), the infrastructure that translates website names into IP addresses. Attackers weaponized this oversight by using DNS as a side channel to transmit data to external servers .

"The vulnerability we discovered allowed information to be transmitted to an external server through a side channel originating from the container used by ChatGPT for code execution and data analysis. Crucially, because the model operated under the assumption that this environment could not send data outward directly, it did not recognize that behavior as an external data transfer requiring resistance or user mediation," explained Check Point researchers.

Check Point Security Researchers

The researchers created three proof-of-concept attacks to demonstrate how real-world damage could occur. In one scenario, a user uploaded a PDF containing laboratory results and personal health information to a custom GPT (a third-party application built on ChatGPT's APIs) designed to act as a personal health analyst. When asked if it had uploaded the data, ChatGPT confidently denied doing so, claiming the file was stored only in a secure internal location. In reality, the malicious GPT had already transmitted all the sensitive information to an attacker's remote server .

Why Should You Care About This Flaw?

This vulnerability has serious implications for regulated industries that rely on AI services. If a corporate deployment of ChatGPT had leaked sensitive data through this channel, it could have triggered violations of major privacy laws. The consequences could include General Data Protection Regulation (GDPR) violations in Europe, Health Insurance Portability and Accountability Act (HIPAA) breaches in healthcare, or violations of financial compliance rules .

The flaw also reveals a fundamental assumption problem in how OpenAI designed ChatGPT's security. The company built defenses around what it thought the system could do, rather than what it actually could do. This gap between intention and reality is precisely the kind of oversight that can have cascading consequences across thousands of organizations using ChatGPT for sensitive work.

Steps to Protect Your Data When Using ChatGPT

• Avoid Uploading Sensitive Information: Do not upload medical records, financial statements, personal identification documents, or any data containing passwords or authentication credentials to ChatGPT or custom GPTs, even if the application claims to keep data private.
• Use Enterprise Versions for Regulated Work: If your organization handles healthcare, financial, or legal data, use ChatGPT's enterprise offerings with additional security controls rather than the free or standard versions.
• Monitor Third-Party GPT Permissions: When using custom GPTs built by third parties, carefully review what data they request and what they claim to do with it. Malicious GPTs can appear legitimate while secretly exfiltrating information.
• Assume Data Leakage Is Possible: Treat any information you share with ChatGPT as potentially compromised. Never input data you wouldn't want exposed publicly, regardless of security assurances.

OpenAI reportedly fixed this particular vulnerability on February 20, 2026, according to Check Point's disclosure . However, the incident underscores a broader pattern: AI companies often make confident claims about security that don't hold up under scrutiny. OpenAI's statement that ChatGPT "cannot generate outbound network requests directly" was technically true but dangerously incomplete, since it ignored DNS as a viable exfiltration channel.

The company has also invested heavily in other security measures, particularly defending against bots scraping ChatGPT conversations. A recent analysis by security engineer Buchodi found that OpenAI implemented Cloudflare's Turnstile widget in a way that prevents any interaction with the chatbot until the entire React-based web interface has fully loaded in a user's browser . This anti-scraping defense is robust, but it highlights an irony: OpenAI protects its own derivative content from being crawled by competitors, yet failed to protect user data from being exfiltrated by attackers.

"These checks are part of how we protect our first-party products from abuse like bots, scraping, fraud, and other attempts to misuse the platform. A big reason we invest in this is because we want to keep free and logged-out access available for more users. My team's goal is to help make sure the limited GPU resources are going to real users," stated an individual claiming to be an OpenAI employee, possibly Head of ChatGPT Nick Turley.

OpenAI Employee, Head of ChatGPT (claimed)

The DNS vulnerability patch represents an important security update, but it also serves as a reminder that AI systems are only as secure as their weakest link. As ChatGPT and similar tools become more integrated into business workflows and healthcare systems, the stakes for security failures grow exponentially. Organizations deploying these tools should assume that future vulnerabilities will be discovered and plan their data handling practices accordingly.