Full Report
Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant’s implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. “The chatgpt.com response renderer trusts Markdown links and Markdown image URLs that…
Analysis Summary
# Vulnerability: ChatGPhish (Markdown Rendering Indirect Prompt Injection)
## CVE Details
- **CVE ID**: Not specified (Commonly categorized under General CWE-79 or CWE-116 in AI contexts)
- **CVSS Score**: Not assigned (Estimated Medium/High based on phishing potential)
- **CWE**: CWE-20 (Improper Input Validation) / CWE-79 (Improper Neutralization of Input During Web Page Generation)
## Affected Systems
- **Products**: OpenAI ChatGPT (Web Interface)
- **Versions**: Current versions as of disclosure (May/June 2026)
- **Configurations**: Any session where the assistant is tasked with summarizing or fetching content from third-party URLs/external web pages.
## Vulnerability Description
The vulnerability, dubbed **ChatGPhish**, stems from the ChatGPT web renderer's implicit trust in Markdown syntax found within third-party content. When a user asks the AI to summarize a malicious webpage, the attacker can use **Indirect Prompt Injection** to embed specifically crafted Markdown image tags (`![]()`) and links (`[]()`).
The `chatgpt.com` UI automatically renders these elements. Because the renderer does not sufficiently sanitize or isolate these links, it auto-fetches images (which can be used for tracking/IP logging) and displays live, clickable elements that appear to be part of the trusted ChatGPT interface, facilitating highly convincing phishing attacks.
## Exploitation
- **Status**: PoC available (Disclosed by Permiso Security)
- **Complexity**: Low (Requires only standard Markdown and a web-accessible malicious page)
- **Attack Vector**: Network (Remote; triggered when the AI fetches external content)
## Impact
- **Confidentiality**: Medium (Can result in the leakage of user metadata, IP addresses, and potentially sensitive information if the user interacts with the phishing links)
- **Integrity**: Low (Does not alter the AI model itself, but manipulates the presentation of data)
- **Availability**: None
## Remediation
### Patches
- **OpenAI**: Users are advised to use the latest version of the ChatGPT web interface. OpenAI generally handles these mitigations server-side; however, strict Content Security Policies (CSP) and Markdown sanitization updates are required to fully neutralize the vector.
### Workarounds
- **Caution with Summarization**: Users should exercise caution when asking ChatGPT to summarize unknown or untrusted websites.
- **Link Verification**: Hover over rendered links in the chat UI to verify the destination URL before clicking.
- **Disable Web Fetching**: Where possible, manually paste text for summarization rather than providing a URL.
## Detection
- **Indicators of Compromise**:
- Presence of unexpected images or hyperlinked buttons in summaries of external pages.
- Outbound requests to unknown third-party domains immediately following a web-summary prompt.
- **Detection Methods**: Security teams can monitor web traffic for unusual image-fetch requests originating from the ChatGPT domain during active sessions.
## References
- **Vendor Advisory**: hxxps[://]chatgpt[.]com
- **Researcher Report**: hxxps[://]permiso[.]io/blog/chatgpt-markdown-rendering-vulnerability
- **Secondary Source**: hxxps[://]thehackernews[.]com/2026/05/chatgphish-vulnerability-turns-chatgpt.html