OpenAI Patches "ZombieAgent" Prompt Injection Flaw in ChatGPT’s New "Apps" Feature
In December 2025, OpenAI rolled out its "apps" feature (formerly "Connectors"), allowing ChatGPT to integrate with external services like email, cloud storage, and calendars for enhanced functionality. However, security firm Radware uncovered a critical vulnerability—dubbed ZombieAgent—that exposed users to prompt injection attacks capable of data exfiltration and persistent access.
The flaw enabled malicious actors to embed hidden commands in emails or files (e.g., white text on a white background or zero-font text) that ChatGPT would execute without user awareness. Radware identified four exploitation methods:
- Zero-click server-side attack: Data exfiltration triggered before the user views the content.
- One-click server-side attack: Malicious prompts in files requiring user upload.
- Persistence: Commands stored in ChatGPT’s memory for prolonged access.
- Propagation: Worm-like spread via infected emails or files.
OpenAI patched the vulnerability on December 16, though details of the fix remain undisclosed. The incident highlights risks in GenAI integrations, where seemingly benign features can become vectors for sophisticated attacks.
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
"id": "OPE1767958502",
"linkid": "openai",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': "Users of ChatGPT with 'apps' "
'feature enabled',
'industry': 'Artificial Intelligence / SaaS',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'OpenAI',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Malicious prompts in emails/files (hidden text, zero-font, '
'or invisible formatting)',
'data_breach': {'data_exfiltration': 'Yes (via hidden commands)',
'file_types_exposed': ['Emails (.eml, .msg)',
'Documents (.pdf, .docx, etc.)',
'Calendar files (.ics)'],
'personally_identifiable_information': 'Possible (depends on '
'user data)',
'sensitivity_of_data': 'High (personal and business data)',
'type_of_data_compromised': ['Emails',
'Calendar events',
'Cloud storage files',
'Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-12',
'date_publicly_disclosed': '2025-12',
'date_resolved': '2025-12-16',
'description': "Radware discovered 'ZombieAgent,' a prompt injection flaw in "
"OpenAI's ChatGPT 'apps' feature, allowing hidden commands to "
'exfiltrate or propagate data. The vulnerability enables '
'zero-click, one-click, persistence, and worm-like propagation '
'attacks. OpenAI patched the issue on December 16, 2025.',
'impact': {'brand_reputation_impact': "Potential erosion of trust in OpenAI's "
'security',
'data_compromised': 'Sensitive data (emails, calendar details, '
'cloud storage files)',
'identity_theft_risk': 'High (if PII was exfiltrated)',
'operational_impact': 'Unauthorized data exfiltration, persistent '
'access, worm-like propagation',
'systems_affected': "ChatGPT with 'apps' feature enabled (Gmail, "
'cloud storage, calendars, etc.)'},
'initial_access_broker': {'backdoors_established': 'Persistence via ChatGPT '
'memory',
'entry_point': 'Malicious prompts in emails/files'},
'investigation_status': 'Resolved (patched by OpenAI)',
'lessons_learned': 'Prompt injection vulnerabilities in GenAI tools can lead '
'to severe data exfiltration and persistence risks. Hidden '
'or obfuscated commands in external data sources (emails, '
'files) pose significant threats when integrated with AI '
'assistants.',
'post_incident_analysis': {'corrective_actions': ['OpenAI patched the '
'ZombieAgent vulnerability '
'(details undisclosed)',
'Potential introduction of '
'prompt filtering or '
'sandboxing for external '
'data'],
'root_causes': ['Lack of input sanitization for '
'hidden/obfuscated prompts in '
'external data sources',
'Overly permissive AI integrations '
'with sensitive services (email, '
'cloud storage)']},
'recommendations': ['Implement strict input validation for AI integrations '
'with external services',
'Monitor for anomalous behavior in AI-assisted workflows',
'Educate users on risks of hidden prompts in emails/files',
'Deploy AI-specific security controls (e.g., prompt '
'filtering, sandboxing)',
'Regularly audit third-party integrations for '
'vulnerabilities'],
'references': [{'date_accessed': '2025-12', 'source': 'TechRadar'},
{'date_accessed': '2025-12', 'source': 'Radware'}],
'response': {'containment_measures': 'Patch deployed by OpenAI on December '
'16, 2025',
'remediation_measures': 'Fix for ZombieAgent vulnerability '
'(details undisclosed)',
'third_party_assistance': 'Radware (security researchers)'},
'title': "ZombieAgent Prompt Injection Vulnerability in OpenAI's ChatGPT Apps "
'Feature',
'type': 'Prompt Injection',
'vulnerability_exploited': 'ZombieAgent (prompt injection in ChatGPT '
'Connectors/Apps feature)'}