About a week after its official announcement, Israeli cybersecurity researchers have uncovered a significant security vulnerability in OpenAI’s new ChatGPT Atlas browser.

The discovery was made by LayerX Security, an Israeli cybersecurity firm, which stated that the flaw potentially affects all ChatGPT users across browsers, though it is especially critical for Atlas users.

According to LayerX, the vulnerability enables attackers to inject commands into ChatGPT’s memory, allowing them to execute code remotely.

This exploit could be used to infect both individuals and organizations with malicious code and gain unauthorized access to sensitive systems.

The company’s research also revealed that Atlas currently lacks robust protection against phishing. Their tests showed that Atlas users are up to 90% more vulnerable to phishing attacks than users of mainstream browsers such as Chrome or Edge. During testing, researchers simulated 103 phishing attacks, and Atlas failed to block 97 of them, indicating a failure rate of 94.2%.

LayerX promptly reported the issue to OpenAI.

The attack sequence involves multiple stages. Initially, a victim clicks a malicious link leading to a fake website. From there, attackers use cross-site request forgery (CSRF) techniques to steal the victim’s ChatGPT access credentials and send malicious commands to the AI’s memory.

Once the user resumes normal activity in ChatGPT, the implanted memory entries can be activated to execute remote code, giving attackers control over the user’s account, browser, written code, and any connected systems.

Or Eshed, co-founder and CEO of LayerX Security, explained:

“The memory mechanism in ChatGPT, designed to improve user experience by remembering personal details, introduces a new type of vulnerability we haven’t seen before. It turns legitimate AI tools into potential partners in system breaches, instruction relays, and account takeovers. The attack still relies on users clicking malicious links, so the best defense remains vigilance—avoid clicking suspicious links whenever in doubt.”