OpenAI's Lockdown Mode Closes ChatGPT's Data Exfiltration Exits

OpenAI Closes the Exits: How Lockdown Mode Changes ChatGPT’s Attack Surface

Prompt injection has been an open wound in large language model security for years. Attackers embed malicious instructions inside documents, web pages, or images — content the model processes on a user’s behalf — and the model follows those instructions, potentially shipping sensitive data to infrastructure the attacker controls. OpenAI has now shipped a direct countermeasure: Lockdown Mode, a new optional security setting for ChatGPT that significantly narrows the outbound network paths an attacker could exploit.

The feature began rolling out in early June 2026, available to logged-in users across Free, Go, Plus, Pro, and self-serve ChatGPT Business plans. It is not a default setting, and OpenAI has stated plainly that it is not intended for everyone — the design targets people and organizations that handle sensitive data and need stricter protection guarantees than standard ChatGPT configurations provide.

What Lockdown Mode Actually Disables

The core logic is straightforward: if data cannot leave the session via outbound network requests, an attacker’s ability to exfiltrate it collapses. Lockdown Mode does not attempt to detect or block prompt injections as they occur. Instead, it removes the pathways that would make a successful injection damaging in the first place.

The disabled features list is specific. Live web browsing is restricted to cached content only — no live outbound requests to arbitrary URLs. Image support is shut down for both displaying images in responses and retrieving images from the web. Deep research and Agent mode are disabled entirely. Canvas networking is blocked, which means users cannot approve Canvas-generated code to access the network. File downloads are also blocked, preventing files from being downloaded during data analysis tasks.

These restrictions are layered on top of existing sandboxing controls and URL-based exfiltration defenses OpenAI already had in place. The framing here matters: Lockdown Mode is not a replacement for those controls, it is an additional ring around them, specifically targeting the outbound network surface that prompt injection attacks rely on to transmit captured data.

What It Does Not Fix

OpenAI has been direct about the limits of what Lockdown Mode accomplishes, and those limits are worth understanding precisely.

The feature does not change how memory works, how file uploads function, or whether conversations can be shared. It also does not prevent prompt injections from affecting ChatGPT’s behavior. OpenAI’s own documentation offers a clear example: a malicious instruction embedded inside an uploaded file can still alter how ChatGPT responds, potentially producing an incorrect or manipulated answer. The mode blocks exfiltration routes, not the manipulation itself. OpenAI also acknowledges that risk may remain through enabled third-party apps, unforeseen combinations of capabilities, or attack techniques that haven’t been discovered yet.

The Mechanics of Prompt Injection at Scale

Prompt injection remains what OpenAI calls a “frontier” problem — meaning it affects all large language models without a complete solution currently available across the industry. The attack class works because LLMs are designed to process and act on text instructions, and distinguishing a legitimate user instruction from a malicious one buried inside retrieved content is not a solved problem at the model level.

The exfiltration pathway is what makes it dangerous in practice. A classic scenario: a user asks ChatGPT to summarize a document or browse a URL. That content contains hidden instructions telling the model to send specific information — session data, file contents, conversation history — to an external server via an outbound request. The model, faithfully following what it reads as instructions, complies. Lockdown Mode cuts that final step.

The tradeoff is real. Disabling live browsing, deep research, agent mode, and canvas networking removes significant functionality. For users working in environments where data sensitivity outweighs the convenience of those features, that trade is reasonable. For general-purpose use, it would make ChatGPT substantially less capable for many workflows.

One notable constraint: Lockdown Mode and Developer Mode cannot be active simultaneously. Enabling one disables the other. This makes sense operationally — Developer Mode expands capabilities and access, while Lockdown Mode contracts them — but it means developers working with sensitive data cannot use both frameworks at once.

Session Management Arrives Alongside Lockdown Mode

OpenAI also shipped a separate but related security feature at roughly the same time: granular account session management. Users can now review all active ChatGPT sessions and selectively log out of individual sessions or terminate all sessions at once.

The session listing includes meaningful detail — the device used, the application, approximate location, sign-in date and time, whether the device is marked as trusted, and whether it is the current active session. This kind of visibility has been standard practice in email and cloud platforms for years, and its absence from ChatGPT had been a gap worth noting.

For organizations concerned about unauthorized account access, the ability to remotely invalidate a session without requiring a full password reset is practical. If a device is lost, stolen, or simply unaccounted for, a user can kill that specific session from another authenticated device without disrupting other active logins.

Where This Fits in the Broader Security Picture

Lockdown Mode is not a claim that prompt injection is solved. OpenAI has been explicit on this point, noting in its documentation that “Lockdown Mode is designed to substantially reduce the risk of prompt injection-based data exfiltration in ChatGPT and supported OpenAI products, but it does not guarantee that data exfiltration cannot happen.”

That honesty is useful. Security features that overclaim tend to generate false confidence, which can be more dangerous than acknowledged uncertainty. By framing Lockdown Mode as a risk-reduction mechanism with documented limitations rather than a complete defense, OpenAI leaves users with an accurate model of what they’re working with.

The practical implication for organizations is that Lockdown Mode should be evaluated as one layer in a broader control set, not a standalone answer. It addresses the outbound exfiltration vector specifically. It does not address account compromise, insider threats, insecure handling of ChatGPT outputs, or the behavioral manipulation aspect of prompt injection. Those require separate controls — and some of them, like the new session management feature, are now available within the platform itself.

For security teams evaluating ChatGPT deployments in environments that handle regulated or sensitive data, the combination of Lockdown Mode and session visibility controls represents a meaningful shift in what the platform can offer from a governance standpoint. The question of whether those controls are sufficient for a given environment depends on the data involved, the workflows, and the threat model — considerations that sit outside any single feature’s scope.

The feature is live for eligible plans as of June 2026, toggled off by default.