OpenAI Sora 2 Vulnerability Exposes System Prompts via Audio Transcripts

A vulnerability in OpenAI’s advanced video generation model, Sora 2, that enables the extraction of its hidden system prompt through audio transcripts, raising concerns about the security of multimodal AI systems.

This vulnerability, detailed in a blog post by AI security firm Mindgard, demonstrates how creative prompting across text, images, video, and audio can bypass safeguards designed to keep internal instructions confidential.

The findings, published on November 12, 2025, highlight ongoing challenges in protecting AI models from prompt leakage, even as companies invest heavily in red-teaming and alignment training.​

Mindgard’s team, led by Aaron Portnoy, began experimenting with Sora 2 on November 3, 2025, exploring how semantic drift in multimodal transformations could expose the model’s foundational rules.

Traditional text-to-text extraction relies on linguistic tricks like role-playing or repeating preceding context to coax LLMs into revealing prompts, but Sora 2’s video capabilities introduced new vectors.

Attempts to render text as still images or video frames often failed due to glyph distortions and frame inconsistencies, where legible text in one frame devolved into unreadable approximations in the next.

Encoded formats like QR codes or barcodes proved equally unreliable, producing visually plausible but decodable gibberish because the model prioritizes pixel realism over precise data encoding.​

The breakthrough came with audio: by prompting Sora 2 to generate speech in short, 15-second clips often sped up to fit more content, researchers transcribed outputs with high fidelity, stitching fragments into a near-complete system prompt.

This stepwise approach outperformed visual methods, as audio avoids the noise of image generation and naturally sequences information.

The recovered prompt reveals rules like generating metadata first, avoiding copyrighted characters unless explicitly requested, and prohibiting sexually suggestive content without precise user direction.

It also mandates fixed video parameters, such as 15-second length and 1.78 aspect ratio, underscoring how these instructions enforce behavioral guardrails.​

System prompts, while not always containing sensitive data, define model safety boundaries and can enable follow-up attacks if leaked, such as crafting prompts to evade guardrails.

Mindgard argues that these instructions should be treated as configuration secrets, akin to firewall rules, rather than harmless metadata.

The vulnerability exploits inherent weaknesses in multimodal models, where transformations compound errors, creating “lost in translation” effects that amplify leakage risks.

OpenAI’s extensive training resists direct attacks, but variations in framing indirect requests or cross-modal prompts still succeed, as seen in adversarial examples like asking for step-by-step refusal logic without quoting the prompt verbatim.​

For users and developers, this underscores the need for robust testing of audio and video outputs, length limits on generations, and treating prompts as proprietary.

While Sora 2’s prompt itself poses low immediate risk, the technique could apply to more sensitive targets, potentially exposing tools or agent integrations.

OpenAI acknowledged the issue after Mindgard’s disclosure, noting general awareness of prompt extraction but requesting a draft review before publication.​

This coordinated disclosure emphasizes responsible vulnerability handling in AI research. As multimodal systems proliferate, such findings urge stronger protections to prevent misuse amid rising deepfake and disinformation threats.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.