Thought Leadership
Security researchers at Check Point Research discovered a vulnerability in ChatGPT’s analysis environment. Data exfiltration was possible through a channel that OpenAI apparently overlooked.
Users who hand files to ChatGPT for analysis expect them to be processed in a sealed environment. That this isolation had a significant gap was demonstrated by security researchers at Check Point Research. They were able to silently exfiltrate user inputs and uploaded documents from the sandbox.
The overlooked channel
OpenAI largely blocks outbound connections via HTTP and TCP in its Linux-based runtime environment. What was still allowed through, however, were DNS queries. The researchers took advantage of this: sensitive data was broken into small fragments, encoded as subdomains, and sent to an external server. To the system, it looked like ordinary name resolution. A warning to the user? There was none.
How an attack played out
The researchers demonstrated two scenarios. In the first, a manipulated prompt circulated online, disguised as a supposed jailbreak or useful trick. Once a user pasted it into their session, data transmission began in the background immediately.
The second scenario was even more elegant: the attackers hid the malicious code inside a Custom GPT. Anyone who handed documents to this assistant was compromised, without any further interaction required.
More than just eavesdropping
Because the DNS channel worked in both directions, the researchers were also able to inject commands into the sandbox. The result was essentially remote access to the container. This allowed arbitrary commands to be executed, entirely independent of the language model’s safety mechanisms. Everything processed during a session was potentially accessible.
OpenAI has responded
Following coordinated disclosure by Check Point Research, OpenAI closed the vulnerability on February 20, 2026.
The case raises a fundamental question: large language models increasingly process confidential information in their own execution environments. Anyone operating such platforms must secure all communication layers, including those that appear purely technical at first glance. DNS tunneling is not a new attack vector. That it worked in such a prominent environment is still surprising.
