CVE-2026-45499 describes a critical server-side request forgery (SSRF) vulnerability in Azure OpenAI with CVSS score 9.9. An authenticated attacker can exploit the flaw to send arbitrary requests to internal network resources, potentially escalating privileges within the environment. No public proof-of-concept or patch details were available at publication on July 2, 2026.
Openai
Recent threats
Security researcher zer0dac disclosed a vulnerability chain in ChatGPT combining a guardrail bypass with path traversal in the file download mechanism, potentially allowing access to restricted system files. The vulnerability exploited inconsistent path normalization and social engineering of the LLM to bypass deletion policies. OpenAI remediated the issue by redesigning the URL download flow, with practical impact limited by sandboxing but highlighting a critical vulnerability class in AI-generated backend endpoints.
Security researchers at LayerX disclosed a vulnerability in AI safety guardrails that can be bypassed using mathematical attacks. The vulnerability was disclosed to multiple AI agent vendors, and OpenAI has successfully patched the issue while other vendors had not addressed it as of early July 2026.
Threat actors launched the "Poisoned Tenant" campaign creating fraudulent OpenAI organizations that impersonate legitimate companies, particularly targeting cybersecurity and technology firms. Employees received legitimate-appearing invitation emails from OpenAI's official address (noreply@tm.openai.com) to join fake tenants, attempting to trick them into sharing sensitive company information through chats and projects. Push Security discovered the campaign after multiple employees received invitations to a fake "Push Security Inc." ChatGPT workspace created by attackers using Gmail addresses.
Researchers recovered over 1,000 session logs from a compromised server showing a low-skilled attacker using OpenAI's Codex and Anthropic's Claude AI agents to conduct reconnaissance, exploit vulnerabilities, and breach at least 14 companies. The attacker bypassed guardrails by framing requests as authorized red-team exercises and used vague prompts to trigger autonomous attack operations including data exfiltration. Sessions revealed the attacker's identity through operational security failures.
OpenAI disclosed that two employee devices were compromised on May 11, 2026 during a supply chain attack targeting TanStack, a widely used open-source library. The attack, part of the Mini Shai-Hulud campaign, resulted in credential exfiltration. OpenAI found no evidence of user data access or core system compromise but is forcing updates to the ChatGPT Mac app by June 12 as a precautionary measure.
Cisco published research on May 27, 2026 evaluating 15 frontier AI models from OpenAI, Anthropic, Google, Amazon, and xAI, concluding that all tested models are materially more susceptible to multi-turn prompt attacks than vendors publicly claim. Multi-turn attack success rates against tested models ranged from 8% to 88%, compared to 2% to 65% for single-turn attacks, and every model exhibited non-trivial multi-turn attack success rates. The researchers found a correlation between AI developers' emphasis on capability benchmarks over safety and larger gaps between single-turn and multi-turn vulnerability. OpenAI models were explicitly included in the evaluated cohort. The report does not identify a specific CVE but challenges the safety assurances underpinning enterprise deployments of these models, particularly in agentic and multi-step workflow contexts.
A critical authentication bypass vulnerability tracked as CVE-2026-48710 and named "BadHost" has been disclosed in Starlette, the ASGI framework underlying FastAPI, vLLM, LiteLLM, MCP servers, and the broader Python-based AI agent ecosystem that includes OpenAI-compatible infrastructure. The flaw arises from Starlette versions prior to 1.0.1 failing to validate the HTTP Host header before using it to reconstruct request URLs: an attacker sending a crafted Host header such as "example.com/health?x=" causes authentication middleware relying on request.url.path to see a spoofed public-looking path, bypassing access controls entirely. MCP (Model Context Protocol) servers are particularly at risk because the specification mandates unauthenticated OAuth discovery endpoints, providing attackers with a predictable bypass target; successful exploitation can expose API keys, restricted LLM endpoints, internal agent tooling, and in some cases enable remote code execution. The vulnerability was discovered by X41 D-Sec during an OSTIF-sponsored audit and coordinated advisories were published on May 22, 2026; Starlette has over 400,000 dependent GitHub repositories and 325 million weekly downloads. Organizations are urged to upgrade Starlette to version 1.0.1 or later, replace request.url.path with scope["path"] in middleware, and deploy a validating reverse proxy in front of ASGI applications.
- Attackers Can Exploit BadHost to Access Sensitive AI Agent Serve(opens in a new tab)
- BadHost (CVE-2026-48710): One Rogue Header Line Unlocks Your Ent(opens in a new tab)
- BadHost Vulnerability Exposes Sensitive AI Agent Server Endpoint(opens in a new tab)
- Worrying open-source security issue 'BadHost' could affect milli(opens in a new tab)
- A vulnerability in the open-source package 'Starlette,' which is(opens in a new tab)
- Starlette Vulnerability Exposes AI Agent Endpoints | Let's Data (opens in a new tab)
OpenAI confirmed on May 13, 2026 that an internal investigation found no evidence ChatGPT user data or internal systems were accessed in connection with a supply-chain attack against the TanStack npm package, a widely used open-source JavaScript library. The compromised package versions reportedly contained unauthorized modifications designed to harvest sensitive information from developers and applications pulling in the infected dependency. OpenAI stated its security teams moved quickly to assess exposure and monitor affected environments after reports of the malicious package surfaced. The company indicated its infrastructure and customer data remained secure throughout the incident. The disclosure adds OpenAI to the list of organizations reviewing exposure from the TanStack npm compromise and underscores ongoing risk from third-party open-source dependencies.
- OpenAI Finds No Evidence of User Data Breach in TanStack npm Sup(opens in a new tab)
- OpenAI says hackers stole some data after latest code security i(opens in a new tab)
- OpenAI confirms security breach in TanStack supply chain attack(opens in a new tab)
- OpenAI confirms security breach in TanStack supply chain attack,(opens in a new tab)
- OpenAI Confirms Data Breach by Supply Chain Attack(opens in a new tab)
HiddenLayer disclosed on May 12, 2026 that a malicious Hugging Face repository named Open-OSS/privacy-filter typosquatted OpenAI's legitimate Privacy Filter release, copying its model card nearly verbatim and accumulating over 244,000 downloads and 667 likes in under 18 hours, with figures likely artificially inflated. Users who cloned the repository and ran start.bat or python loader.py were served a base64-encoded Python loader that dropped a Rust-based infostealer. The malware employed API hiding, debugger and sandbox detection, virtual machine checks, and attempts to disable AMSI and ETW to evade detection, and it targeted browser passwords, session cookies, Discord tokens, crypto wallets, and Telegram sessions. HiddenLayer advised affected users to treat infected hosts as fully compromised, rotate all stored credentials, invalidate sessions, and move cryptocurrency funds to wallets generated on clean devices. The campaign abuses OpenAI's brand to lure developers but does not indicate a compromise of OpenAI's own infrastructure.
Dragos and Gambit Security have published details of an intrusion into a municipal water and drainage utility in Monterrey, Mexico, in which a threat actor leveraged OpenAI's GPT models alongside Anthropic's Claude as an AI-assisted operational engine. The January 2026 attack was part of a broader campaign targeting Mexican government organizations between December 2025 and February 2026. According to the report, GPT was used for victim data processing and structured reporting, while Claude handled intrusion planning and tool development, including a 17,000-line Python framework iteratively refined by the model. The incident represents confirmed abuse of OpenAI's models in an active intrusion against operational technology assets, though no specific OpenAI platform vulnerability is implicated. Other sources in the batch concern Anthropic's Claude Chrome extension or unrelated open-source CVE trends and were not used.