Check Point Research Discovers Covert Outbound Channel in ChatGPT's Code Execution Environment

Check Point Software Technologies Ltd. (Check Point® Software Technologies Ltd., NASDAQ: CHKP), a pioneer and global leader in cybersecurity solutions, announced today that its threat intelligence division, Check Point Research (CPR), discovered the existence of a covert outbound communication channel within ChatGPT's code execution runtime environment and demonstrated its exploitability. This vulnerability could have allowed conversation data to be exfiltrated to an external server through a single malicious prompt, without any notification or approval from the user. OpenAI confirmed that it had fully deployed a fix on February 20, 2026, after receiving a report from CPR.

Key Findings

・ CPR discovered that a single malicious prompt could transform a normal ChatGPT user session into a clandestine data leakage channel. In addition to sensitive data shared by users, AI-generated summaries and conclusions could also have been exfiltrated externally.

・ Attacks exploiting hidden DNS-based communication channels were able to bypass AI safety measures. It was also possible to execute remote commands within ChatGPT's runtime.

・ By embedding this process into custom GPTs, it could have been exploited as a broader threat rather than a one-time risk. Following information provided by CPR, OpenAI implemented a fix for this vulnerability (as of February 20, 2026). No actual exploitation has been confirmed.

Background to the Discovery AI assistants like ChatGPT are rapidly becoming responsible for processing some of the most sensitive data handled by individuals. Users consult AI assistants about symptoms and medical history, upload financial documents, review contract details, and share content from personal documents. In many cases, these actions are based on the trust that data shared with AI assistants remains securely within the system.

ChatGPT itself states that external data transmission is restricted, visible, and managed. Sensitive data was not supposed to be sent to arbitrary third parties solely at the request of a prompt, and direct external access from the code execution environment was supposed to be restricted. What CPR discovered was a path to bypass this model.

A Single Malicious Prompt Leads to Covert Data Leakage CPR discovered that a single malicious prompt could turn a normal ChatGPT conversation into a hidden leakage channel. In this case, once triggered, specific content within the conversation, such as user messages, uploaded files, or AI-generated summaries, could have been sent externally without any warning or approval.

Image 1: Attempted connection from inside the container to the external internet was blocked

From the user's perspective, the assistant would continue to respond as usual, with no warnings or approval dialogues appearing on the platform. Behind the scenes, the selected content was silently exfiltrated out of the conversation.

ChatGPT has safeguards to prevent unauthorized data sharing. From a user's perspective, external data transmission should be restricted, transparent, and consent-based. However, this vulnerability did not directly breach ChatGPT's safeguards but completely bypassed them.

How the Vulnerability Works: Bypassing Existing Safeguards Instead of obvious external communication channels like HTTP requests or external APIs, this vulnerability exploited a hidden side channel within the Linux runtime that ChatGPT uses for code execution and data analysis. While direct internet access was blocked as designed, DNS name resolution remained available as part of normal system operation.

DNS is generally treated as harmless infrastructure for resolving domain names and is not considered for data transmission. However, DNS can be exploited as a covert transfer mechanism by encrypting information as domain queries. The reason for this was that DNS communication was not classified as external data sharing. Therefore, no approval dialogues, warnings, or risk recognition by the model itself were triggered.

Triggered by a Single Prompt The attack could be triggered by a single malicious prompt, and from that point on, all new messages within the conversation became potential sources of leakage. Importantly, attackers did not need to steal entire documents. The prompt could instruct the model to extract and send only the most valuable information, such as summaries, conclusions, diagnoses, or strategic insights. And in many cases, these AI-generated outputs are more sensitive than the original input data.

This approach blends naturally into normal usage. Many users regularly copy prompts from blogs, forums, and social media, touting productivity enhancements or 'hidden features/tricks'.

A similar attack pattern becomes even more dangerous when embedded in custom GPTs. In this scenario, attackers do not need to wait for victims to copy prompts externally; they can embed malicious processes directly into the GPT's instructions or files. Users simply open the GPT and interact with it as usual, and sensitive information is leaked.

As a proof of concept, CPR built a GPT that functioned as a 'personal doctor'. When a PDF of test results was uploaded to this GPT, the patient's personal information and medical assessment were sent to the attacker's server, all behind a perfectly normal interaction. When directly asked if it had sent data externally, ChatGPT replied that it had not sent anything at all.

Image 2: Remote server receiving extracted data while ChatGPT denies external data transfer

Risk Expanding from Individual Privacy to Platform Level This covert communication channel was also found to be usable for purposes other than data exfiltration, such as executing remote commands within ChatGPT's runtime. CPR demonstrated that by sending commands via DNS queries and receiving results through the same channel, a remote shell could be established within the Linux environment used for code execution. This operates outside the model's safety checks and is invisible from the chat interface. This highlights that this vulnerability could pose platform-level security risks, not just individual privacy concerns.

The impact on regulated industries is even more severe. Breaches via AI tools are not just security incidents; they can escalate into GDPR infringements, HIPAA violations, and financial or regulatory non-compliance. Therefore, organizations in healthcare, financial services, and government agencies must treat AI tools as part of their regulated environment, rather than positioning them as consumer apps operating outside existing control frameworks.

Fix Completed and Major Lessons for the AI Era Following a responsible disclosure process, CPR reported this vulnerability to OpenAI. OpenAI had already identified the root cause of the problem internally, and a complete fix was deployed on February 20, 2026, closing the unintended communication channel. There is no evidence of actual exploitation.

Check Point's View Eli Smadja, Head of Research at Check Point Research, stated: "This case once again underscores the harsh reality of the AI era. We should not assume that AI tools are secure by default. As AI platforms evolve into full-fledged computing environments handling the most sensitive data, native security controls alone are insufficient. Organizations must ensure independent visibility and multi-layered protection in conjunction with AI vendors. Rather than scrambling to address the next incident, redesigning security architectures for the AI era is the way forward for safe progress."

This case is not limited to a single vulnerability. AI platforms are evolving faster than most organizations can assess the risks. Ensuring AI security requires not just fixing a single flaw, but redesigning security architectures for the AI era. AI systems must be viewed as complete computing environments, and protected accordingly, from application logic to infrastructure behavior.

While AI companies excel at building AI, they are not organizations that prioritize security above all else. This is why independent research is crucial. CPR discovered this vulnerability before malicious attackers, embodying the kind of oversight companies need. Security leaders should not rely solely on vendor assurances but collaborate with trusted advisors who can verify and strengthen AI environments.

This press release is based on a blog post (English) published on March 30, 2026, US time.

About Check Point Research Check Point Research provides the latest cyber threat intelligence to Check Point customers and the threat intelligence community. It collects and analyzes data on cyberattacks worldwide stored in Check Point's threat intelligence, ThreatCloud AI, to deter hackers and contribute to the development of effective protection features in its products. The team consists of over 100 analysts and researchers who collaborate with security vendors, law enforcement agencies, and CERT organizations on cybersecurity measures.

Blog: https://research.checkpoint.com/ X: https://x.com/_cpresearch_

About Check Point Check Point Software Technologies (www.checkpoint.com) is a global cybersecurity leader protecting over 100,000 organizations worldwide. The company's mission is to secure enterprises' safe AI transformation. Through a prevention-first approach and an open ecosystem architecture, it helps block advanced threats, prioritize exposures, and automate security operations across complex digital environments. Check Point's unified architecture simplifies protection across hybrid networks, multi-cloud environments, digital workspaces, and AI systems. Focused on four strategic pillars—Hybrid Mesh Network Security, Workspace Security, Exposure Management, and AI Security—Check Point provides consistent protection and visibility across multi-vendor environments, helping organizations reduce risk, improve efficiency, and accelerate innovation without increasing complexity. Check Point Software Technologies K.K. (https://www.checkpoint.com/jp/), a wholly-owned Japanese subsidiary of Check Point Software Technologies, was established on October 1, 1997, and is based in Minato-ku, Tokyo.

Social Media Accounts ・Check Point Blog: https://blog.checkpoint.com ・Check Point Research Blog: https://research.checkpoint.com/ ・YouTube: https://youtube.com/user/CPGlobal ・LinkedIn: https://www.linkedin.com/company/