A newly disclosed vulnerability dubbed ChatGPhish allows any web page to weaponize ChatGPT against its own users, turning the AI assistant's trusted interface into a live phishing surface. Researchers at Permiso Security published proof-of-concept demonstrations on May 29, 2026, showing that ChatGPT renders Markdown links and QR codes sourced from third-party web pages - meaning an attacker-controlled site can inject fake security alerts, malicious links, and mobile-redirect QR codes directly into a victim's ChatGPT chat session.
How ChatGPhish Works: The Browser Trusts the AI, the AI Trusts the Page
The attack is a Cross Prompt Injection Attack (XPIA) targeting ChatGPT's response renderer. When a user asks ChatGPT to summarize or analyze any external web page, the AI fetches and processes the page's content - including any Markdown formatting embedded by the page owner. ChatGPT then renders that Markdown as formatted content inside its own interface, treating attacker-injected links and images as if they originated from the AI itself.
From the victim's perspective, the phishing content appears to come from ChatGPT directly. There is no suspicious URL, no warning banner, and no indication that the AI is displaying third-party-injected content. The trusted chatgpt.com interface becomes the delivery mechanism for the attack.
Three Attack Chains Demonstrated
Permiso researcher Andi Ahmeti demonstrated three distinct attack chains, each exploiting the same underlying renderer flaw:
- Fake OpenAI security alerts: Injected Markdown renders as a styled button inside ChatGPT's own UI, mimicking official OpenAI notifications. Clicking leads to an attacker-controlled credential-harvesting page.
- QR code mobile pivot: Inline QR codes rendered by ChatGPT redirect the attack from the desktop session to the victim's smartphone - allowing the phishing chain to bypass desktop browser protections.
- Tracking pixels: Invisible image URLs injected via Markdown auto-fetch on render, leaking the victim's IP address, User Agent, Referer header, and session timing to the attacker with every ChatGPT page summary.
The attack requires no malware, no browser exploit, and no account compromise. The only prerequisite is convincing a target to ask ChatGPT to summarize an attacker-controlled URL - a trivially simple social engineering step given how commonly users now turn to AI assistants to digest web content.
OpenAI Notified in April - Still No Patch
Ahmeti disclosed the ChatGPhish vulnerability to OpenAI through the Bugcrowd bug bounty platform on April 29, 2026. After 30 days of unproductive exchanges with no committed fix timeline, Permiso published its full findings publicly on May 29, 2026 - exercising coordinated disclosure after the standard 30-day responsible disclosure window expired.
As of publication, OpenAI has not released a patch. The company acknowledged the report but has not committed to a fix date. This means every ChatGPT user who asks the AI to summarize an external web page remains exposed to the full attack chain described above.
Why This Matters: AI Assistants as Phishing Infrastructure
ChatGPhish represents a structural shift in phishing risk. Traditional phishing relies on convincing targets to click suspicious links in emails or messages. ChatGPhish inverts the model: the victim proactively uses a tool they trust, and that tool itself delivers the phishing payload from within a domain - chatgpt.com - that browsers, security tools, and users consider authoritative.
The QR code pivot is particularly notable. It allows the attacker to move the phishing chain from a desktop browser session - where enterprise security controls, DNS filtering, and browser extensions may intervene - to a personal smartphone with no such protections. The victim scans the QR code from what appears to be a legitimate ChatGPT response, and the attack completes on an unmanaged device.
Security researchers have flagged that similar XPIA risks likely exist in other AI assistants that summarize external web content, including Copilot, Gemini, and Perplexity. None of these services fully sandbox the formatting instructions embedded in pages they fetch and process.
For organizations that manage corporate browsing environments, the ChatGPhish disclosure adds weight to the case for encrypting and inspecting AI assistant traffic - including what pages employees ask their AI tools to fetch and process on their behalf.
