Researchers at cybersecurity firm Tenable have revealed seven previously undisclosed vulnerabilities in OpenAI’s ChatGPT, including critical flaws in the new GPT-4o model. These weaknesses allow unauthorized access to memory-based user data and abuse of the tool’s web search features. The discoveries raise pressing concerns about the security posture of generative AI platforms as enterprises increasingly adopt such tools for productivity, data analytics, and customer engagement.
GPT-4o’s Innovations Also Introduced New Security Gaps
OpenAI launched GPT-4o in May 2024, touting significant upgrades, including improved multimodal capabilities and new memory persistence features designed to retain conversational context over time. However, Tenable’s disclosure illustrates how these same enhancements can be exploited if not properly secured.
Memory Feature Leaks Sensitive Conversations
Tenable researchers demonstrated that vulnerabilities in the GPT-4o memory feature could be used to exfiltrate data from prior interactions with ChatGPT. By manipulating system prompts or context windows, adversaries were able to coax the model into revealing snippets of saved memories that should have been unavailable to unauthorized users.
“These flaws enable attackers to extract private information retained in memory, violating user expectations of confidentiality,” the researchers wrote.
Such leakage could be particularly damaging in enterprise environments where proprietary, sensitive, or legally protected information may be discussed during AI-assisted workflows. The memory feature, while designed to improve personalization and continuity, currently lacks robust isolation and control mechanisms for different users or sessions.
Web-Browsing Tool Lacks Adequate Input Validation
Tenable uncovered multiple flaws in the “browse with Bing” capability integrated into ChatGPT. These issues allowed for arbitrary URL injection, redirect manipulation, and potential misuse of the AI as a proxy for web-based reconnaissance. This could let attackers:
- Circumvent filter lists by sneaking malicious URLs into prompts.
- Route AI queries through attacker-controlled servers.
- Exfiltrate data or track model behavior via transparent redirection.
In some test scenarios, Tenable managed to get GPT-4o to follow disguised links and leak metadata about its browsing behavior—raising the risk of targeted information gathering about how the AI interface processes external content.
Broader Threats Inherent in Generative AI Tools
The identified GPT-4o vulnerabilities reflect a larger pattern seen across generative AI platforms. As models become more interactive and context-aware, the attack surface expands in both expected and novel ways.
AI Prompt Injection and Model Abuse Risks Increasing
Several of Tenable’s proof-of-concept attacks relied on prompt injection, a technique where malicious users craft inputs that manipulate the model’s internal instructions. This has long been an issue in large language models (LLMs), but the presence of persistent memory and external plug-ins heightens the severity.
Organizations making use of generative AI need to be aware that:
- Any memory-based personalization feature increases risk if not tightly sandboxed.
- Web access tools must rigorously validate all user-generated input.
- Prompt injection is no longer a theoretical concern—it is now a practical attack vector.
Lack of Enterprise-Grade Isolation Remains a Key Weakness
A central takeaway from Tenable’s research is the immature state of role-based isolation within public-facing generative AI tools. Simply relying on session IDs or vague user context is insufficient. Without hardened segmentation and consistent audit controls, malicious actors can pivot between system contexts and potentially cross tenant boundaries.
OpenAI Responds, but Transparency Still Limited
Following responsible disclosure, OpenAI reportedly patched the affected GPT-4o components. However, details about the scope of the fixes were not made public, and no CVEs (Common Vulnerabilities and Exposures) were issued for the discovered bugs.
Tenable emphasized the need for greater transparency from AI platform providers, especially when vulnerabilities could impact enterprise users or expose identifiable data.
“AI vendors must establish clear vulnerability reporting programs and patch lifecycle processes—not unlike what’s expected from traditional SaaS providers,” Tenable’s disclosure recommended.
Moving Forward, AI Security Demands Shared Responsibility
As enterprises accelerate deployment of generative AI in production workflows, these findings underscore the urgent need for a shared security framework. Developers, researchers, and end users must collaborate on strengthening guardrails, improving model interpretability, and baking in privacy safeguards.
For organizations leveraging ChatGPT or similar tools, the following practices are increasingly essential:
- Regular monitoring for prompt injection attempts or suspicious model behavior.
- Strong internal policies restricting the nature of information sent to memory-enabled AI tools.
- Network-level controls to sandbox plugins and web access by default.
Tenable’s discoveries act as both a red flag and a call to action—highlighting how AI innovation must be balanced with rigorous threat modeling and secure design principles. The vulnerabilities in GPT-4o may be resolved, but they offer a preview of wider issues that will only grow as artificial intelligence becomes more deeply integrated into critical systems.
