ChatGPT Path Traversal Vulnerability Allowed Access to System Files
A researcher chained a guardrail bypass with a path traversal vulnerability in ChatGPT's file download feature to access sensitive system files like /etc/passwd.

A security researcher has demonstrated a sophisticated exploit chain targeting OpenAI's ChatGPT, which combined a guardrail bypass with a path traversal vulnerability to potentially access restricted system files. The vulnerability, discovered by researcher zer0dac, leveraged ChatGPT's file download mechanism to achieve local file inclusion (LFI).
The exploitation process began with a user uploading a seemingly innocuous HTML file to ChatGPT for review, establishing a sandboxed file path within the platform. Initially, direct requests for a download link were denied due to ChatGPT's standard deletion policy for temporary files. This initial denial aligns with OWASP's LLM02:2025 category for sensitive information disclosure, as the system was designed to prevent unauthorized access to uploaded content.
To circumvent this deletion policy, the researcher employed social engineering tactics by first requesting an edit to the uploaded file. Following this, the researcher prompted ChatGPT to believe the file was "accidentally deleted" and requested a re-download link. This conversational manipulation successfully tricked the AI into generating a valid download URL, bypassing the intended deletion restriction.
With a valid download endpoint in hand, the researcher focused on the sandbox_path parameter within the backend API structure: /backend-api/conversation/{id}/interpreter/download?message_id={id}&sandbox_path=/mnt/data/test.html. Instead of a direct traversal payload like ../../../../etc/passwd, which would likely be caught by path validation, the researcher used a technique of appending traversal sequences after the legitimate path: /mnt/data/test.html/../../../../etc/passwd.
This novel approach exploited inconsistencies in path normalization logic. The validation mechanism perceived the request as accessing a legitimate file while still resolving the traversal sequences to access directories outside the intended sandboxed environment. When this crafted URL was accessed directly in a browser, it successfully returned the contents of the /etc/passwd file from ChatGPT's execution environment.
While the practical impact of accessing a generic system file like /etc/passwd was limited due to ChatGPT's sandboxed execution environment, the vulnerability highlights critical security considerations for AI platforms. It demonstrates how traditional web application vulnerabilities, such as path traversal and LFI, can be integrated into exploit chains within AI-powered systems, especially those with agentic capabilities or tool augmentation.
OpenAI has since addressed the vulnerability by redesigning the URL download flow, though specific technical details of the fix remain undisclosed. This incident underscores the convergence of AI-specific security risks, like prompt-based guardrail manipulation, with established web security flaws. As LLM platforms increasingly handle file operations, code execution, and dynamic URL generation, a combination of AI-focused red teaming and conventional security testing is deemed essential.
The disclosure serves as a potent reminder that LLM security requires a dual approach, addressing both the unique vulnerabilities introduced by AI models and the persistent threats found in traditional software development. The ability to manipulate AI behavior through conversational prompts, combined with underlying technical flaws, presents a complex threat landscape that developers and security professionals must navigate.