Before the 1.2025.288.15 release, OpenAI Atlas exposed privileged browser APIs to content served from *.openai.com origins. A cross‑site scripting flaw in forum.openai.com allows an attacker to inject scripts that can read the victim’s browser history and open or close tabs, effectively revealing sensitive browsing data and enabling unauthorized browser manipulation. The vulnerability represents an access‑control weakness (CWE‑284).

All installations of OpenAI Atlas running a version older than 1.2025.288.15 are affected. The flaw is triggered by content on *.openai.com, particularly forum.openai.com. After the 1.2025.288.15 update, the exposure is limited to *.chatgpt.com only, meaning earlier versions remain vulnerable until upgraded.

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, but the CVSS score of 6 indicates moderate severity combined with a stored XSS vector and privileged API access, implying a moderate exploitation risk. Based on the description, it is inferred that the likely attack vector is a malicious script injected into a forum post that then runs in the context of the victim’s browser, granting the attacker read‑only access to browsing history and the ability to open or close tabs. Immediate remediation is advised to mitigate the potential for data leakage and session hijacking.