OpenAI: ChatGPT File Download Flow Vulnerability Could Be Abused to Access System Files

OpenAI: ChatGPT File Download Flow Vulnerability Could Be Abused to Access System Files

ChatGPT Vulnerability Chain Exposed System Files via Path Traversal Flaw

Security researcher zer0dac uncovered a proof-of-concept (PoC) vulnerability chain in ChatGPT that combined a guardrail bypass with a path traversal flaw, potentially allowing attackers to access restricted system files including /etc/passwd through the platform’s file download mechanism. OpenAI has since remediated the issue by redesigning the URL download flow.

The exploit involved a four-step process:

  1. File Upload – The researcher uploaded a dummy HTML file to ChatGPT, creating a sandboxed file path.
  2. Guardrail Bypass – Direct download requests were denied under standard deletion policies, but the researcher circumvented this by first requesting an edit, then claiming the file was "accidentally deleted" and requesting a new download link. This tricked ChatGPT into generating a valid URL.
  3. Endpoint Interception – The exposed backend API (/backend-api/conversation/{id}/interpreter/download) revealed a sandbox_path parameter, which was manipulated to bypass path validation.
  4. Path Traversal – Instead of a direct traversal payload (e.g., ../../../../etc/passwd), the researcher appended traversal sequences to a legitimate path (/mnt/data/test.html/../../../../etc/passwd), exploiting inconsistent path normalization to access restricted files.

While the immediate impact was limited ChatGPT’s sandboxed environment prevented sensitive data exposure the flaw underscored broader risks in AI security. The vulnerability demonstrated how traditional web application flaws (path traversal) and AI-specific weaknesses (prompt-based guardrail manipulation) can combine in LLM architectures, particularly as platforms integrate file handling, code execution, and dynamic URL generation.

OpenAI’s fix, though undisclosed in technical detail, addressed the issue by altering the download flow. The case highlights the need for both AI-specific red teaming and conventional web security testing in LLM deployments.

Source: https://cybersecuritynews.com/chatgpt-file-download-flow-vulnerability/

OpenAI TPRM report: https://www.rankiteo.com/company/openai

"id": "ope1783009491",
"linkid": "openai",
"type": "Vulnerability",
"date": "7/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'industry': 'Artificial Intelligence / Software',
                        'name': 'OpenAI (ChatGPT)',
                        'type': 'Technology Company'}],
 'attack_vector': 'Path Traversal + Guardrail Bypass',
 'data_breach': {'file_types_exposed': ['Text files (e.g., `/etc/passwd`)'],
                 'sensitivity_of_data': 'Low (sandboxed environment limited '
                                        'exposure)',
                 'type_of_data_compromised': 'System files'},
 'description': 'Security researcher *zer0dac* uncovered a proof-of-concept '
                '(PoC) vulnerability chain in ChatGPT that combined a '
                'guardrail bypass with a path traversal flaw, potentially '
                'allowing attackers to access restricted system files '
                'including `/etc/passwd` through the platform’s file download '
                'mechanism. The exploit involved a four-step process: file '
                'upload, guardrail bypass, endpoint interception, and path '
                'traversal. OpenAI remediated the issue by redesigning the URL '
                'download flow.',
 'impact': {'brand_reputation_impact': 'Potential reputational risk due to '
                                       'vulnerability disclosure',
            'data_compromised': 'Restricted system files (e.g., `/etc/passwd`)',
            'operational_impact': 'Limited (sandboxed environment prevented '
                                  'sensitive data exposure)',
            'systems_affected': 'ChatGPT file download mechanism'},
 'investigation_status': 'Remediated',
 'lessons_learned': 'Demonstrated how traditional web application flaws (path '
                    'traversal) and AI-specific weaknesses (prompt-based '
                    'guardrail manipulation) can combine in LLM architectures. '
                    'Highlighted the need for AI-specific red teaming and '
                    'conventional web security testing in LLM deployments.',
 'motivation': 'Security Research / Proof-of-Concept',
 'post_incident_analysis': {'corrective_actions': 'Redesigned URL download '
                                                  'flow to prevent path '
                                                  'traversal and guardrail '
                                                  'bypass',
                            'root_causes': 'Inconsistent path normalization in '
                                           'file download mechanism and weak '
                                           'guardrail enforcement in prompt '
                                           'handling'},
 'recommendations': 'Integrate AI-specific security testing alongside '
                    'traditional web application security measures. Implement '
                    'stricter path validation and guardrail mechanisms in LLM '
                    'file handling systems.',
 'references': [{'source': 'Security Research by zer0dac'}],
 'response': {'containment_measures': 'Redesigned URL download flow',
              'remediation_measures': 'Fixed path traversal and guardrail '
                                      'bypass vulnerabilities'},
 'threat_actor': 'zer0dac (Security Researcher)',
 'title': 'ChatGPT Vulnerability Chain Exposed System Files via Path Traversal '
          'Flaw',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'Path traversal flaw in file download mechanism '
                            'and guardrail bypass via prompt manipulation'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.