Overview
When the GPT‑4.1 model is invoked through the OpenAI API asking for a reinterpretation of an attached document in a conversation, the backend returns the most recently cached file from a different customer account. This flaw allows any authenticated API consumer to read files that belong to other tenants (or hallucination but information looks real), breaching data segregation guarantees and exposing Personally Identifiable Information (PII) and other confidential data.
Steps to Reproduce
Prerequisites:
-
Any valid OpenAI API key.
-
cURL requests (can also be done via openai assistant platform, and I will do like that so it can be reproducible better and easier)
-
Create a new thread on an assistant (no prior uploads).
-
Upload a file and ask on that thread to read and give back the file reinterpreted.
-
Make sure assistant is on 4.1 model and you are on your first message on the thread.
-
Observe the response. Instead of returning an error or empty result, the API streams back part or all of a document that you never uploaded. Repeating the call across fresh threads yields different documents, confirming cross‑tenant leakage.
You might think these are hallucinations, but after a few attempts of other user files in the response, you’ll eventually see a file containing highly sensitive data that is certainly not public, things like emails or other content that you can find out is real. For this reason I am not 100% this are hallucinations.
Additional information:
Let’s assume on same thread we text 3 times, and each response includes an attached file, which we will called A, B, and C.
-
In response A, a file from another user is received.
-
In response B, file A is received.
-
In response C, file B is received.
As you can see, each response returns the file previous to the one requested. This suggests that, possibly, in the first request a file outside the expected index is retrieved, resulting in receiving a file belonging to another user.