‍

Check Point Research disclosed a critical vulnerability in ChatGPT's Python-based Data Analysis Linux runtime that allowed attackers to silently exfiltrate user prompts, uploaded files, and sensitive data.

The exploit technique was DNS tunneling. ChatGPT's code execution environment blocks direct outbound internet access, but DNS lookups were not restricted. Attackers could encode stolen data into subdomain labels within DNS queries.

The channel was also bidirectional. Attackers could send command fragments back through DNS responses, establishing a remote shell inside the container, enabling arbitrary command execution outside ChatGPT's safety mechanisms.

How the attack reached users

Two delivery methods were demonstrated. The first: malicious prompts distributed on public forums or social media, disguised as productivity tips or jailbreaks. Once pasted into a conversation, the chat became a covert data collection channel. 

The second: backdoored Custom GPTs, for example, a fake "personal doctor" app that analyzed uploaded medical PDFs while silently extracting identifiers and assessments through the DNS channel.

When asked directly, the AI would deny sending data externally. The illusion of privacy was complete.

What was patched and what wasn't

OpenAI closed the DNS tunnel on February 20, 2026, following responsible disclosure. Check Point confirmed there is no evidence the vulnerability was ever exploited in the wild.

The patch closes this specific channel. It does not change the underlying dynamic. As Check Point noted, ChatGPT is no longer a chat window, it is a multi-layered code execution environment processing medical records, financial data, and proprietary business documents. New attack surfaces emerge with every capability added.

For enterprises, the question is not whether ChatGPT is patched. It is whether they can see what employees are uploading to it. 34.8% of ChatGPT inputs contain sensitive enterprise data, according to 2026 research. 

Without visibility into which AI tools are in use and what data is flowing into them, security teams are operating blind. CloudEagle.ai provides that visibility across both sanctioned and unsanctioned AI tool usage.

‍

Compliance Doesn't Fail Overnight

It drifts.

Catch It Early