Trust in artificial intelligence tools has once again been put to the test. Researchers at Check Point Research disclosed a vulnerability in ChatGPT that, they say, made it possible to silently extract data from users’ conversations without their knowledge or explicit consent. The finding is another warning sign for companies that are increasingly embedding generative AI into their day-to-day operations.
According to the researchers, a single malicious prompt was enough to turn a ChatGPT session into a data exfiltration channel. The attack could capture not only user messages and uploaded files, but also content generated by the model itself, including summaries, analyses, and conclusions that often carry particular value for organizations. Importantly, the entire process took place in the background, without any warnings or permission requests.
As the analysts explain, the flaw exploited a hidden communication path based on DNS within the Linux environment used by ChatGPT for data analysis and code execution. This is precisely what raises the greatest concern among security experts: protections may appear effective from the user’s perspective while still containing invisible weaknesses at the infrastructure level.
The risk was even greater in the case of so-called Custom GPTs. Researchers demonstrated that malicious logic could be embedded directly into the instructions of a customized model. In the proof-of-concept scenario, they created a GPT impersonating a personal doctor: the user uploaded medical test results and received a credible response, while their data and the generated analysis were simultaneously sent to an external server controlled by the attacker.
In Check Point Research’s view, the issue goes beyond the privacy of individual users. The same communication path could potentially have enabled remote command execution inside the ChatGPT environment, raising the risk to a systemic level. For businesses, this means AI tools should not be treated as ordinary applications, but as full-fledged computing environments that require independent security oversight.
“The research confirms that AI tools cannot be assumed to be secure by default. As AI platforms become full-fledged computing environments processing our most sensitive data, native security mechanisms are no longer sufficient on their own. Organizations clearly need independent visibility and layered protection between themselves and AI providers,” said Eli Smadja, Head of Research at Check Point Research.
Highly regulated industries are especially exposed. As highlighted in the analysis, AI-related incidents may lead not only to reputational and operational losses, but also to violations of GDPR and other regulatory requirements. The financial sector, healthcare, and public administration therefore cannot treat AI systems as external add-ons operating outside their standard risk-management frameworks.
The vulnerability described has already been fixed. OpenAI implemented a full patch on February 20, 2026.
