ChatGPhish, disclosed by Permiso Security on May 29, 2026, is a browser based prompt injection attack that exploits ChatGPT’s implicit trust in Markdown to deliver phishing links, fake security alerts, and QR codes in... The vulnerability is the latest escalation in a four year chain of prompt injection flaws — from...

Create a landscape editorial hero image for this Studio Global article: How does the ChatGPhish vulnerability discovered by Permiso Security exploit ChatGPT's Markdown rendering to deliver phishing attacks throug. Article summary: Here is the answer based on the available reporting.. Topic tags: general, general web, academic, user generated. Reference image context from search candidates: Reference image 1: visual subject "In yet another "Your chatbot may be leaking" moment, researchers have uncovered multiple weaknesses in OpenAI's ChatGPT that could allow an attacker to exfiltrate private informati" source context "Multiple ChatGPT Security Bugs Allow Rampant Data Theft" Reference image 2: visual subject "Researchers at Check Point discovered that a single malicious prompt could exploit a hidden outbound channel within ChatGPT's code execution" source context "ChatGPT data leakage vul
When ChatGPT summarizes a web page, you trust the links and buttons you see in its response. That trust is exactly what the ChatGPhish vulnerability exploits.
Disclosed by Permiso Security on May 29, 2026, ChatGPhish is a browser-based prompt injection technique that turns ChatGPT’s web page summarization feature into a phishing delivery surface . Unlike earlier attacks that focused on covert data exfiltration, this one weaponizes the assistant’s own interface to present attacker-controlled links, fake login forms, and security alerts as legitimate ChatGPT output. Here is how it works, the lineage of prompt injection flaws that led to it, and what OpenAI had (and had not) said as of the disclosure date.
The attack is straightforward but effective because it targets a fundamental trust assumption: the ChatGPT response renderer treats Markdown links and Markdown image URLs that originated from a third-party page as trusted content, auto-fetching images and surfacing links as live, clickable elements inside the assistant’s own UI .
The attack chain runs in three stages:
Because ChatGPT does not sufficiently sanitize Markdown content from web pages before rendering it, any third-party page the model browses becomes a potential phishing vector. This is not a server-side exploit of OpenAI’s infrastructure — it is a client-side rendering weakness that abuses the browser-based trust users place in ChatGPT’s visual output.
ChatGPhish did not appear in a vacuum. It is the latest chapter in a multi-year escalation of prompt injection techniques that have followed each new capability OpenAI adds to ChatGPT. When the model gained web browsing, code execution, plugin support, and memory, attackers found fresh surfaces to inject instructions and exfiltrate data.
Here are the key waypoints on the path to ChatGPhish:
Each step in this timeline shows the same pattern: a new ChatGPT capability opens a fresh injection surface, and the Markdown renderer repeatedly proves to be the weak link because it implicitly trusts content from external pages.
As of May 29–30, 2026, the available reporting documents Permiso Security’s public disclosure of ChatGPhish on May 29, but no public statement or patch from OpenAI specific to this vulnerability had been reported .
OpenAI was not idle on security during this window. The company managed two separate incidents in May 2026 that were unrelated to ChatGPhish:
The gap between ChatGPhish’s disclosure and any acknowledgment from OpenAI is significant. It leaves ChatGPT’s web summarization surface exposed in the interim, with the public now aware of a phishing path that requires only a user asking ChatGPT to summarize a carefully prepared web page.
ChatGPhish matters because it attacks the interface trust that makes AI assistants useful. When ChatGPT browses the web, summarizes a page, and presents links inside its own UI, users have no visual signal that those links originated from an untrusted third party rather than from OpenAI itself.
Organizations that allow employees to use ChatGPT’s browsing features should treat web summaries as an untrusted content source until OpenAI issues a fix. The vulnerability also highlights a recurring architectural tension: AI assistants that blend first-party UI with third-party data need renderers that treat all external content as potentially hostile, not just as display text.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
ChatGPhish, disclosed by Permiso Security on May 29, 2026, is a browser based prompt injection attack that exploits ChatGPT’s implicit trust in Markdown to deliver phishing links, fake security alerts, and QR codes in...
ChatGPhish, disclosed by Permiso Security on May 29, 2026, is a browser based prompt injection attack that exploits ChatGPT’s implicit trust in Markdown to deliver phishing links, fake security alerts, and QR codes in... The vulnerability is the latest escalation in a four year chain of prompt injection flaws — from 2022’s first named attack to 2026’s DNS based data theft — and as of the disclosure date, OpenAI had not acknowledged or...
The core weakness is ChatGPT’s response renderer, which treats Markdown links and images from untrusted third party pages as trusted live elements, effectively turning any webpage the model browses into a phishing vec...