Tenable researchers jailbreak GPT-5 within 24 hours of launch

Researchers from Tenable bypassed GPT-5’s new safety system within a day, prompting it to give Molotov cocktail instructions and raising doubts about its safeguards.

When OpenAI launched GPT-5 on August 7, 2025, the company highlighted new safety features meant to stop the system from producing harmful material. Within 24 hours, those protections were bypassed.

Researchers at Tenable were able to prompt the model into producing detailed instructions for making a Molotov cocktail. The approach, which they call “crescendo,” used a series of small, layered requests rather than one direct question.

The researchers posed as a history student and asked about the origins of the Molotov cocktail. From there, they slowly guided the model toward giving specific instructions. By the fourth exchange, GPT-5 provided step-by-step details that its safety system was designed to block.

The speed of the jailbreak is raising new questions about how effective OpenAI’s updated safeguards really are. GPT-5 was designed with a system called “safe completions,” which was supposed to be more advanced than the refusals and content filters used in earlier models. But the test showed that even with these improvements, the system could still be manipulated.

Broader concerns

Tenable is not alone in finding weaknesses. Other groups have also reported early success in jailbreaking GPT-5 using different techniques. The incidents highlight how hard it is to fully stop large language models from producing dangerous content once a determined user knows how to frame the request.

This concern extends beyond hobbyists and researchers. Many companies are quickly adopting AI tools in their daily work, sometimes without formal oversight. If employees can push past built-in protections, they might expose their organizations to safety, ethical, or compliance risks.

Tomer Avni, Tenable’s vice president of product management, said the ease with which we bypassed GPT-5’s new safety protocols proves that even the most advanced AI is not foolproof.

“This creates a significant danger for organisations where these tools are being rapidly adopted by employees, often without oversight. Without proper visibility and governance, businesses are unknowingly exposed to serious security, ethical, and compliance risks. This incident is a clear call for a dedicated AI exposure management strategy to secure every model in use.”

OpenAI has responded by saying that it is working on fixes. However, the quick breach raises the possibility that more stronger measures may be needed, particularly as AI models are utilized more frequently.

Why it matters

The jailbreak does not mean GPT-5 is broken or useless, but it shows the limits of automated safety controls. Even the most advanced guardrails can fail under pressure from creative or persistent prompts. For companies relying on AI, this is a reminder that security cannot be left only to the software provider. Independent checks and clear policies may be needed to reduce risk.

What happened on the first day of GPT-5’s release illustrates both the speed at which AI is moving forward and the challenges that come with keeping it safe.