Dual Critical Failures: RCE & DNS Exfiltration in ChatGPT Canvas

SnailSploit | Kai Aizen — Sun, 01 Feb 2026 14:32:08 +0000

I published new security research documenting two critical vulnerabilities in OpenAI's ChatGPT Code Interpreter that form a complete attack chain.

Key Findings

Critical Failure A: Python Pickle RCE (CWE-502)
The Python pickle module allows arbitrary code execution when processing attacker-controlled serialized objects. Malicious pickle payloads successfully execute within the sandbox via the __reduce__ method, achieving RCE at user privilege level.

Critical Failure B: DNS Exfiltration via Canvas Rendering (CWE-200)
While the sandbox blocks direct outbound connections, the ChatGPT canvas creates an uncontrolled egress channel. When the model prints hostname-like strings, the canvas renders them, triggering DNS queries from the user's browser. Data encoded in subdomain labels is captured by an attacker-controlled nameserver.

Why This Matters

These two failures combine into a unified kill chain: Pickle RCE harvests secrets from the sandbox environment, and DNS exfiltration via canvas rendering smuggles them out — bypassing all server-side network controls because the DNS queries originate from the user's browser.

Meta acknowledged and patched the same vulnerability class (CVE-2024-50050, pickle deserialization in Llama-Stack) within 11 days. OpenAI dismissed this report.

Full Research

Read the complete writeup with evidence, MITRE ATT&CK mapping, and technical details:

👉 Dual Critical Failures: RCE & DNS Exfiltration in ChatGPT Canvas

GitHub repo with logs and evidence: github.com/SnailSploit/chatgpt-rce-dns

DEV Community: SnailSploit | Kai Aizen

Dual Critical Failures: RCE & DNS Exfiltration in ChatGPT Canvas

Key Findings

Why This Matters

Full Research