ChatGPT File Download Flaw Could Have Exposed Sandbox System Files
A proof-of-concept flaw in ChatGPT’s file download flow could have allowed access to restricted files inside the platform’s sandboxed execution environment, according to a public researcher report covered by Cybersecurity News.
The reported issue combined two separate weaknesses: a prompt-based guardrail bypass and a traditional path traversal flaw in a file download endpoint. Together, they allowed a researcher to retrieve a system file from the ChatGPT sandbox environment.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The reported impact was limited because the file came from a sandboxed environment, not from OpenAI’s broader infrastructure or another user’s account. However, the case shows why AI platforms need both LLM red teaming and standard web application security testing.
What the ChatGPT File Download Flaw Involved
The report says researcher zer0dac started by uploading a dummy HTML file into ChatGPT for review. That created a valid file path inside the temporary sandbox used for file handling and code-related workflows.
When the researcher directly asked ChatGPT for a download link, the model initially refused. The bypass reportedly worked after the researcher asked for an edit to the uploaded file, then requested a new download link after claiming the original file had been deleted.
That step produced a backend download URL with a sandbox file path parameter. The researcher then tested whether the parameter could be manipulated to access files outside the intended user-uploaded path.
Why Path Traversal Matters Here
PortSwigger describes path traversal as a vulnerability that can let attackers read arbitrary files from the server running an application, including application data, credentials, or operating system files.
In this case, the researcher reportedly avoided a simple traversal attempt that would likely be blocked. Instead, the request kept the original valid sandbox path and added traversal sequences after it, which suggests inconsistent path normalization in the download flow.
The OWASP Web Security Testing Guide warns that file-handling features can become risky when input validation fails to keep users inside the intended root directory. That risk becomes more complex when an LLM generates or exposes backend file URLs.
Reported Exploit Chain
| Step | What happened | Security issue |
|---|---|---|
| File upload | A test HTML file was uploaded to ChatGPT | Created a valid sandbox file reference |
| Model manipulation | The researcher used conversational framing to request a new download link | Bypassed a model-level refusal |
| Endpoint exposure | A backend download endpoint exposed a sandbox path parameter | Created a file access target |
| Path traversal | A crafted path resolved outside the intended uploaded file location | Allowed access to a sandbox system file |
The system file reportedly accessed was /etc/passwd, a standard Unix-like file that lists local user account entries. Access to that file can prove an arbitrary file read issue, but it does not by itself prove access to secrets, user data, or host infrastructure.
The key risk was not the value of that single file. The more serious lesson is that a file read primitive can become more dangerous if it reaches tokens, configuration files, mounted data, logs, or service credentials in a less restricted environment.
That is why traditional file access controls still matter in AI products. LLM safeguards can reduce unsafe outputs, but backend endpoints must also validate the final resolved path before serving any file.
How This Fits LLM Security Risks
The reported guardrail bypass maps closely to OWASP LLM02:2025 Sensitive Information Disclosure, which covers cases where an LLM application exposes sensitive data through its outputs or connected application context.
OWASP notes that prompt restrictions may reduce disclosure risk but may not always hold up against prompt injection or related methods. In this incident, the model interaction helped unlock a backend file download route that then exposed a web application flaw.
OpenAI’s own Safety Bug Bounty program separates common jailbreaks from issues that create meaningful abuse, safety, or data exposure risk. The company says issues that allow access to features, data, or functionality beyond authorization should go through its security bug bounty process.
OpenAI Reportedly Changed the Download Flow
Cybersecurity News reported that OpenAI remediated the issue by redesigning the URL download flow. The company has not published a separate public technical advisory describing the precise fix.
OpenAI’s coordinated vulnerability disclosure policy says the company invites good-faith researchers to report vulnerabilities, bugs, safety and abuse issues, and security flaws in its systems.
That policy matters because AI security reports often sit between two categories. Some flaws involve prompts, model behavior, and tool use, while others involve ordinary application bugs such as file path validation, authorization, and URL handling.
Sandboxing Limited the Practical Impact
Prior research from 0DIN described ChatGPT’s code execution environment as a sandbox designed to provide limited file and code functionality without exposing broader infrastructure.
That sandbox design likely reduced the impact of this proof of concept. Access to a generic system file inside an isolated environment does not automatically mean an attacker can reach private conversations, OpenAI infrastructure, or another user’s uploaded files.

Still, sandbox boundaries should not become the only defense. If a similar file traversal bug appeared in an agentic workflow with broader connectors, persistent storage, enterprise data, or third-party services, the consequences could be more serious.
What AI Platform Teams Should Learn
This incident highlights a practical problem for AI product security: prompt handling, file handling, and backend authorization can interact in unexpected ways. A weak link in one layer can expose assumptions in another.
- Validate the final resolved file path, not just the raw user-supplied path.
- Block path traversal sequences before and after path normalization.
- Use signed, short-lived file download tokens tied to one file and one user session.
- Separate LLM refusal logic from backend authorization decisions.
- Log unusual download attempts that include traversal-like path changes.
- Test file workflows with both AI red teaming and standard web app security testing.
The OWASP Web Security Testing Guide recommends systematic testing of input vectors and traversal techniques because these flaws often hide in everyday file features.
What Users Should Know
For regular ChatGPT users, there is no public evidence that the proof of concept exposed private user chats or files from other accounts. The reported access involved files inside a sandboxed execution environment.
For developers and enterprise buyers, the message is broader. AI systems that upload files, create temporary links, run tools, or connect to business data need the same security controls expected from mature web applications.
PortSwigger recommends preventing path traversal by avoiding direct user input in file paths where possible and validating user input before it reaches file system APIs.
Why This Case Is Important
The flaw matters because it joined a model-level bypass with a classic server-side weakness. Neither part alone needed to be catastrophic, but together they produced a working file read path.
The OWASP LLM02:2025 guidance specifically warns that LLM applications can expose data from the application context, not only from the model itself. File tools, browser tools, code tools, and agents expand that context.
OpenAI’s Safety Bug Bounty program also reflects this shift by including agentic risks, data exfiltration scenarios, and platform integrity issues that may not fit older vulnerability categories neatly.
Security Takeaway
| Risk area | Why it matters | Recommended control |
|---|---|---|
| Prompt bypass | Users may manipulate the model into exposing restricted workflow details | Keep authorization checks outside the model |
| Download URL design | File paths in URLs can become attack surfaces | Use opaque file IDs and signed tokens |
| Path normalization | Validation may check one path while the system reads another | Validate the canonical resolved path |
| Sandbox reliance | Sandboxing reduces damage but does not remove the bug | Combine isolation with strict backend controls |
The bigger lesson is simple: AI applications are still web applications. They need strong input validation, access control, logging, and vulnerability disclosure workflows alongside LLM-specific safeguards.
OpenAI’s vulnerability disclosure policy gives researchers a channel to report these issues, and reports like this show why coordinated disclosure remains important as AI tools gain more file and agent capabilities.
The earlier 0DIN sandbox research also shows that security teams need to understand how AI execution environments behave internally, especially when those environments create, move, read, or export files for users.
FAQ
It was a reported proof-of-concept issue that combined a prompt-based bypass with a path traversal flaw in ChatGPT’s file download flow, allowing access to a system file inside the sandboxed execution environment.
There is no public evidence that the proof of concept exposed private user chats or files from other accounts. The reported access involved a system file inside a sandboxed environment.
The researcher reportedly accessed /etc/passwd, a standard Unix-like system file often used to demonstrate arbitrary file read or path traversal issues.
Public reporting says OpenAI remediated the issue by redesigning the URL download flow. OpenAI has not published a detailed public technical advisory for this specific issue.
The case shows how LLM prompt manipulation can combine with traditional web application flaws. AI platforms that handle files, tools, and agents need both AI-specific testing and standard backend security controls.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages