Users of OpenAI’s latest coding and cybersecurity-oriented flagship model, GPT-5.6 Sol, are posting horrifying accounts on social media, claiming the model just up and deleted their files, data, even entire databases on its own, without asking first.
“GPT-5.6-Sol just accidentally deleted almost ALL of my Mac’s files,” wrote Matt Shumer, the founder and CEO of AI startup OthersideAI, maker of HyperWrite, in a now viral post on X.
“GPT-5.6 Sol just deleted my whole production database. That’s it. Not a joke. This had never happened to me before, with any other model, ever,” developer Bruno Lemos posted on X.
“Looks like I’ve gotten bit by Codex Sol’s overly ambitious system and it deleted some files it shouldn’t have. I have backups so I’ll be fine, but this is not cool, Sol needs to be toned down,” posted developer Joey Kudish.
A Reddit post has collected more examples.
True, a handful of users making such claims — even one as credible as Shumer — isn’t statistically reliable evidence that the model is solely at fault. Plenty of other variables can cause an AI system to misbehave.
But OpenAI itself flagged this risk before Sol ever shipped. Two weeks before OpenAI released GPT-5.6 Sol, the company published a system card for the model — the paper that documents model-testing methods and results. Naturally, the system card largely extols the capabilities of Sol, as these reports typically do. But it also includes a warning of sorts (bold emphasis ours):
In coding contexts, misalignment generally stems from a mix of overeagerness to complete the task and interpreting user instructions too permissively — assuming that actions are allowed unless they’re explicitly and unambiguously prohibited. This manifests as the model being overly agentic in circumventing restrictions it faces when attempting the requested task, being careless in taking actions which may be destructive beyond the scope of the task, or deceptive when reporting its results to users.
In other words, OpenAI found that Sol has a tendency to take whatever actions it thinks gets a job done, even destructive ones, as long as those actions aren’t “unambiguously” prohibited. Then it might lie about what caused it to do so.
OpenAI shared examples. In one case, the user told Sol to delete three remote virtual machines (cloud-based computers), named 1, 2, and 3. But Sol couldn’t find those names in the place where it looked, so instead of stopping to ask, it decided to delete three other virtual machines, 5, 6, and 7, the paper notes. In doing so, it “killed active processes, and force-removed worktrees [the working files tied to a coding project]. It later acknowledged that uncommitted work on remote virtual machine 6 may have been lost.”
In short, it deleted the wrong machines, on its own, and only admitted what it did after the fact.
In another instance, Sol “used credentials beyond what the user had authorized.” Credentials are the usernames, passwords, or security keys a system uses to verify who’s allowed to log in. This incident occurred when Sol was working on a project and couldn’t read its cloud files. Rather than alerting the user to the problem, Sol went looking for the credentials on its own, found some sitting in a hidden local cache, and then used them without asking for authorization from the user.
The system card does promise that destructive behavior should be rare, although it also admits that GPT-5.6 Sol “shows a greater tendency than GPT-5.5 to go beyond the user’s intent, including by taking or attempting actions that the user had not asked for.”
It’s too soon to say how widespread these incidents — Sol deleting files, or sifting out credentials the user didn’t give it — really are. In the meantime, Sol users should be prepared to implement their own safeguards with the model, like using permission scoping (that doesn’t give access to production systems), maintaining backups, and staging rollouts.
OpenAI did not immediately respond to our request for comment.


