This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know

• OpenAI’s new “apps” feature enables ChatGPT to connect with external services like email and storage
• Radware discovered “ZombieAgent,” a prompt injection flaw allowing hidden commands to exfiltrate or propagate data
• Exploits include zero-click, one-click, persistence, and worm-like propagation; OpenAI patched it December 16

OpenAI recently introduced a new feature for ChatGPT which, unfortunately, also puts users at risk of data exfiltration and persistent access.

In December 2025, a feature called Connectors finally moved out of beta and into general availability. This feature allows ChatGPT to connect to numerous other apps, such as calendars, cloud storage, email accounts, and similar - gaining more context and thus providing users with better, more relevant responses.

The feature is now called ‘apps’ but, according to security researchers Radware, also opens up the tool to a major vulnerability - prompt injection attacks.