ChatGPT Security: Key Risks, Real Vulnerabilities, and Enterprise Controls That Work

ChatGPT security has moved from a theoretical concern to a documented operational problem, with two patched vulnerabilities disclosed in early 2026, hundreds of thousands of stolen credentials circulating on dark-web markets, and research showing that more than a third of what employees type into the tool is sensitive data.

The stakes have grown alongside adoption. ChatGPT now handles enterprise workloads, developer workflows, and customer-facing integrations at organizations that have not yet mapped the full threat surface. For security teams, that creates a mix of issues: some rooted in OpenAI’s own infrastructure, more in how employees use it, and a growing share in how attackers weaponize the tool itself.

Recent Vulnerabilities in ChatGPT’s Infrastructure

Two distinct flaws patched in early 2026 illustrate different ends of the risk spectrum.

The first, reported by Check Point researchers and disclosed by The Hacker News ↗, was a side-channel vulnerability in the Linux runtime ChatGPT uses for code execution. Attackers could encode data exfiltration ↗ payloads as DNS requests, sidestepping the platform’s stated guardrail that the execution environment cannot make direct outbound network connections. In practice, a malicious prompt could trick a user into pasting specially crafted text, at which point the runtime would silently beacon out via DNS. The attack surface widened with custom GPTs: malicious logic could be baked into a published GPT rather than requiring direct user manipulation each time. OpenAI patched the issue on February 20, 2026, with no confirmed exploitation in the wild.

The second was a command injection flaw in Codex, OpenAI’s coding assistant. BeyondTrust Phantom Labs reported the bug on December 16, 2025; OpenAI patched it by February 5, 2026. The root cause was inadequate input sanitization in how Codex processed GitHub branch names. An attacker who could influence branch naming — common in open-source contribution flows — could inject arbitrary shell commands via an HTTPS POST request, then retrieve GitHub User Access tokens from the execution environment. Compromised tokens granted lateral movement and full read/write access to whatever repositories those tokens covered.

Both vulnerabilities required user interaction or specific preconditions to exploit. Neither was a remote unauthenticated exploit. But they demonstrate that ChatGPT’s execution surface — especially as it expands into agentic and IDE-integrated contexts — carries real attack potential that warrants the same patch management discipline applied to any other production tool.

The Bigger Attack Surface: Your Own Employees

Patched CVEs get the press, but the higher-volume risk in most organizations does not require any vulnerability in ChatGPT’s infrastructure at all.

Research from Q4 2025 found that 34.8 percent of employee inputs to ChatGPT contained sensitive data, up from roughly 11 percent in 2023. The content spans customer emails, contract language, source code, product roadmaps, and internal financial data. Most employees paste this material in without considering that the default consumer product uses conversation content to improve models — and that even where data retention controls exist, an account compromise exposes every conversation in that user’s history.

Credential theft is the concrete follow-on risk. Security researchers documented more than 225,000 OpenAI and ChatGPT credentials for sale on dark-web markets in 2025. The credentials were not obtained by breaching OpenAI’s infrastructure; they were harvested by infostealer malware running on compromised employee endpoints. Once an attacker logs into a stolen account, they get a verbatim record of every sensitive exchange that user had with the platform.

ChatGPT also lowers the barrier for attackers. AI-generated phishing messages now reach targets with regional phrasing, accurate organizational context, and grammatical polish that mass-template campaigns cannot match. SlashNext’s 2025 phishing report attributed a 4,151 percent increase in AI-generated phishing messages to the period since ChatGPT’s public release, with click rates running roughly fourteen times higher than traditional campaigns. The tool is not the victim here — it is part of the delivery mechanism.

Prompt Injection: The Risk That Comes for Free

Prompt injection ↗ is ranked first in the OWASP Top 10 for LLM Applications (2025) ↗ because it requires no special access to attempt. Any user with chat access can attempt a direct injection. Any document, webpage, or data source that ChatGPT reads becomes a vector for indirect injection, where attacker-controlled content hidden in an external resource overrides the system prompt or redirects behavior.

The ChatGPT search feature was found vulnerable to indirect prompt injection in ↗ late 2024: invisible text embedded in a webpage could manipulate the tool’s summarization of that page, producing artificially positive assessments of malicious or fraudulent content. The attack does not require access to OpenAI’s backend. It exploits the trust the model places in content it retrieves from the web.

For teams building integrations — retrieval-augmented generation pipelines, automated research workflows, document-processing tools — this is a design constraint, not a runtime configuration issue. Any architecture that passes untrusted content to a ChatGPT context window without sanitizing or isolating it inherits the injection risk. Offensive AI security ↗ researchers have documented the range of ChatGPT-adjacent attack vectors extensively; see aisec.blog ↗ for current research on prompt injection and agent exploitation techniques.

What Enterprise Controls Actually Provide

The consumer tier of ChatGPT and the enterprise tiers operate under meaningfully different data handling terms. OpenAI’s enterprise, business, education, and API products do not use customer inputs or outputs to train or improve models by default. Conversations are encrypted in transit with TLS 1.2 or higher and at rest with AES-256. ChatGPT Enterprise is independently audited to SOC 2 Type 2 and aligned with ISO/IEC 27001, 27017, 27018, and 27701. Organizations in regulated industries should note that HIPAA compliance requires a signed Business Associate Agreement, and GDPR-compliant configurations require at minimum a Data Processing Addendum.

Administrative controls available in Enterprise include SAML-based SSO, enforced multi-factor authentication, and least-privilege role assignments through the admin console. Wiz’s enterprise security guide ↗ recommends treating ChatGPT as a production system requiring the same identity controls, access logging, and behavioral monitoring applied to other enterprise SaaS applications.

Practical steps that consistently reduce risk:

• Mandate the enterprise tier for any business use. Consumer accounts have weaker data retention controls and no organizational visibility.
• Block sensitive data categories at the DLP layer before they reach the prompt. Network-level controls can flag pasting of PII, credentials, or marked-confidential material.
• Enforce endpoint hygiene. The credential theft problem is an endpoint hygiene problem. Infostealer infections on employee machines are the source, not a ChatGPT weakness.
• Treat any ChatGPT integration as an untrusted input pipeline. If the integration reads external documents, emails, or web content, instrument it for prompt injection the same way you would instrument a web application for XSS.
• Audit custom GPTs before deployment. Custom GPTs published internally can carry malicious logic in their system prompts. Treat them like third-party software.

The security posture of a ChatGPT deployment is largely determined by decisions made before anyone types a prompt: which tier is licensed, what data governance policies are enforced, and whether the organization’s endpoint fleet is clean enough to prevent credential harvest. Those are solvable problems with existing controls.

---

Sources

• OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability ↗ — The Hacker News coverage of the Check Point and BeyondTrust disclosures, with technical detail on the DNS side-channel and Codex command injection bugs patched in early 2026.

• LLM01:2025 Prompt Injection — OWASP Gen AI Security Project ↗ — The authoritative OWASP definition and risk description for prompt injection as the top-ranked LLM application vulnerability.

• ChatGPT Security for Enterprises: Risks and Best Practices ↗ — Wiz’s enterprise-focused breakdown of the five primary ChatGPT threat categories and recommended controls, including zero-trust access and data minimization guidance.

• Enterprise Privacy at OpenAI ↗ — OpenAI’s official documentation of data handling terms, certifications, and compliance posture for enterprise and API customers.

Related across the network

• The Samsung ChatGPT Data Leak: What Happened and What It Means for Enterprise AI Policy ↗ — ai-alert.org
• Shadow AI in the Enterprise: Ungoverned LLM API Keys and Data Exfiltration Risk ↗ — ai-alert.org
• OWASP LLM Top 10 2025: What Changed and Why It Matters ↗ — ai-alert.org
• Prompt Injection in the Wild: Incidents from 2024-2025 ↗ — ai-alert.org
• Best AI Security Tools 2024: A Practitioner’s Guide to LLM Protection ↗ — bestaisecuritytools.com

---

→ This post is part of the AI Security Threat Intelligence Hub — the complete resource index for AI security coverage on Tech Sentinel.