OpenAI patches critical vulnerabilities in ChatGPT and Codex
AI-generated from multiple sources. Verify before acting on this reporting.
SAN FRANCISCO — OpenAI addressed two significant security vulnerabilities on Sunday, patching a data exfiltration flaw in its ChatGPT service and a GitHub token vulnerability in its Codex code-generation tool. The updates were deployed following the discovery of the issues, which posed potential risks to user data and developer credentials.
The first vulnerability involved a flaw in ChatGPT that could have allowed unauthorized access to user data. Security researchers identified the issue, which theoretically permitted attackers to extract sensitive information from the platform's database. OpenAI confirmed the patch was applied to mitigate the risk of data exfiltration, ensuring that user conversations and personal information remain protected.
Simultaneously, the company resolved a separate issue within Codex, its artificial intelligence tool designed to assist developers in writing code. The vulnerability involved GitHub tokens, which are used to authenticate access to private repositories. A flaw in the system could have exposed these tokens, potentially granting attackers access to private codebases and sensitive project information. The patch ensures that token handling within Codex is now secure against exploitation.
OpenAI did not disclose the timeline of when the vulnerabilities were discovered or the specific methods used to identify them. The company also did not confirm whether any user data was compromised prior to the patches being deployed. Security experts noted that the proactive resolution of these issues demonstrates the company's commitment to maintaining robust security standards for its AI services.
The fixes were implemented across OpenAI's infrastructure without service interruption, according to the company's status page. Users of both ChatGPT and Codex were not required to take additional action to secure their accounts, as the updates were applied server-side. However, developers using Codex are advised to rotate any GitHub tokens that may have been exposed during the vulnerability window, as a precautionary measure.
Industry analysts suggest that the incidents highlight the ongoing challenges in securing AI-driven platforms, particularly those handling sensitive user data and developer credentials. As AI tools become more integrated into critical workflows, the potential impact of security flaws increases, necessitating rigorous testing and rapid response protocols.
OpenAI has not announced plans for additional security audits or public disclosures regarding the vulnerabilities. Questions remain regarding the origin of the exploits and whether similar flaws exist in other parts of the company's ecosystem. The company continues to monitor its systems for emerging threats as part of its standard security operations.
The patches were confirmed as of March 30, 2026, with no further details expected to be released immediately. OpenAI's response to the vulnerabilities underscores the importance of continuous security maintenance in the rapidly evolving field of artificial intelligence.