ChatGPT Vulnerability Allowed Silent Exfiltration of Conversations and Uploaded Files

Affected Product: OpenAI ChatGPT (web and potentially API-accessible interfaces) Vulnerability Type: Prompt Injection / Covert Data Exfiltration Researcher: Check Point Research CVE Status: Not yet assigned at time of publication

Vulnerability Overview

Check Point Research disclosed a previously unknown vulnerability in OpenAI's ChatGPT that allowed a malicious prompt to silently exfiltrate sensitive user data — including conversation history and uploaded files — without the user's knowledge or consent.

The flaw is classified as a prompt injection attack. In this attack class, adversarial instructions embedded in user-supplied or third-party content manipulate the model into executing unintended actions. In this case, a single crafted prompt was sufficient to transform a normal ChatGPT session into a covert exfiltration channel.

According to Check Point, the attack could leak:

  • User messages from the active conversation
  • Uploaded files submitted during the session
  • Other sensitive session content present in the model's context window

No CVE identifier has been publicly assigned as of this writing. CVSS scoring has not been published, though the attack vector is network-based, requires no authentication beyond initiating a ChatGPT session, and carries low attack complexity — factors that would typically place it in the high-severity range.

Technical Detail

Prompt injection against large language models (LLMs) exploits the model's inability to reliably distinguish between legitimate system instructions and adversarial instructions injected through user input or retrieved content. When ChatGPT processes a malicious prompt — whether typed directly or embedded in a document the user uploads — the model can be instructed to encode and transmit context-window data to an attacker-controlled endpoint.

The exfiltration mechanism likely leverages the model's ability to generate URLs or make references that, when rendered or followed by a browser or plugin, send data outbound. This technique has been demonstrated in prior research against other LLM-integrated tools, but Check Point's findings apply it specifically to ChatGPT's handling of uploaded files and multi-turn conversations.

The attack requires no elevated privileges and no vulnerability in the underlying operating system or browser. The user does not need to click a link or install anything. The malicious prompt does the work inside the model's inference loop.

Real-World Impact

Organizations that permit employees to use ChatGPT for work tasks — reviewing contracts, drafting code, analyzing documents — face direct exposure. A user who uploads a sensitive file (financial data, source code, personally identifiable information, legal documents) and then encounters a malicious prompt in the same session could have that content exfiltrated transparently.

Attack delivery vectors include:

  • Malicious documents uploaded by the user — a PDF or DOCX containing injected instructions
  • Adversarial content pasted into the chat — copied from a compromised webpage or email
  • Shared conversation links — if a crafted conversation is shared with a target user

Enterprises using ChatGPT via the API in automated pipelines face additional risk, as injected instructions in processed third-party content could exfiltrate data at scale without any human reviewing the output.

This class of vulnerability is particularly damaging in environments where ChatGPT has been integrated with tools, plugins, or retrieval-augmented generation (RAG) pipelines, since the model may have access to a broader data surface than a standalone chat session.

OpenAI Response

Check Point reported the vulnerability to OpenAI through responsible disclosure. OpenAI has acknowledged the report. Specific patch details, timeline, and confirmation of remediation were not publicly available at the time of this writing. Organizations should monitor OpenAI's security advisories at security.openai.com for updates.

For enterprises and security teams:

  1. Restrict file uploads — Disable or limit ChatGPT file upload functionality for employees through OpenAI's administrative controls until full remediation is confirmed.

  2. Enforce ChatGPT Enterprise data controls — If using ChatGPT Enterprise, verify that conversation data retention and training opt-outs are configured per your data handling policies.

  3. Block ChatGPT access for sensitive workflows — Do not use consumer ChatGPT interfaces for processing confidential documents, PII, source code, or legally privileged material.

  4. Audit LLM integration pipelines — Review any automated workflows that pass third-party content into ChatGPT or any other LLM. Treat all retrieved or user-supplied content as potentially adversarial.

  5. Apply output filtering — Where ChatGPT output is processed programmatically, implement output validation to detect anomalous URL generation or encoded data patterns that may indicate exfiltration attempts.

  6. Monitor for CVE assignment — Track the National Vulnerability Database (NVD) and OpenAI's disclosure channels for an official CVE ID and associated patch guidance.

For SOC analysts:

Flag outbound HTTP requests originating from browser sessions to unrecognized or newly registered domains immediately following ChatGPT usage. Prompt injection exfiltration typically generates anomalous GET requests with encoded query parameters carrying conversation data.

Check Point's full technical write-up is expected to include proof-of-concept detail. Security teams should treat this disclosure as active risk until OpenAI confirms a complete fix is deployed across all affected surfaces.