< lcn home

The Comprehensive Guide to Prompt Injection Attacks in 2026

A prompt injection is a cyberattack that manipulates a large language model or AI agent into executing an attacker's instructions instead of the system's.

The attack exploits a structural property of LLMs: they can't distinguish instructions from data since both arrive as natural-language text. In agentic deployments, a successful injection can leak data, bypass safety controls, or trigger unauthorized actions.

Published Date: Jul 15, 2026
Table of contents
This is the block containing the component that will be injected inside the Rich Text. You can hide this block if you want.
Hassaan qaiser bKfkhVRAJTQ unsplash

TL;DR

  • Nearly every major prompt injection incident shares the same pattern: an agent with access to private data, exposure to untrusted content, and the ability to communicate externally is exploitable.
  • The threat shifted from chatbot trick to enterprise risk between 2024 and 2026, with incidents against Slack AI, Microsoft 365 Copilot, Cursor, GitHub MCP, and AI coding assistants.
  • Current defenses don't solve the problem. The strongest published defense misses around one in ten optimization-based attacks. Adaptive attacks bypass essentially every recommended defense.
  • A real defense requires three layers: architectural prevention to limit agent capability, runtime detection to catch the consequences of successful injection, and governance integration with frameworks security teams already use.
  • The Five Eyes (FVEY), the global intelligence alliance, names prompt injection as a core way attackers manipulate agents, and recommend incremental adoption with human oversight at consequential decisions.

Why prompt injection demands attention now

Prompt injection demands attention now because it's a working, unsolved attack against AI systems already in production. The consequences have moved from embarrassing chatbot output to data theft, unauthorized actions, and compromised enterprise systems.

In mid-2025, security researchers at Aim Labs disclosed EchoLeak, the first zero-click data exfiltration attack against Microsoft 365 Copilot. An attacker sent the target an ordinary email. The user never opened it. Copilot read it during normal background processing, and a later unrelated query triggered the leak. 

That's where things stand now. 

More specifically, the model isn't the endpoint anymore. AI agents read emails, summarize documents, browse the web, query internal systems, and call external tools. Any of those inputs can carry instructions an attacker wrote. The agent can't always tell the difference.

Here's why that’s important:

The economics favor the attacker. 

An attacker needs one prompt that works. Defenders need to block every malicious instruction, across every input the agent touches. Emails. Documents. Web pages. Internal wikis. Other agents' outputs. The surface is huge.

And the industry has been candid about where this stands. 

OpenAI describes prompt injection as a frontier security problem still being worked on. In May 2026, Five Eyes (CISA, NSA, and counterparts in the UK, Canada, Australia, and New Zealand) issued joint guidance on agentic AI. They name prompt injection as a core way attackers manipulate agents, and stress that no single safeguard is enough on its own.

"Strong governance, explicit accountability, rigorous monitoring and human oversight are not optional safeguards but essential prerequisites. Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains."

That guidance didn't come out of nowhere. 

It followed a steady run of real-world incidents from 2024 through 2026. Productivity assistants, code editors, internal chatbots, developer agents were all compromised through some form of injection. We'll get into those incidents later in the article.

For now:

Prompt injection isn't theoretical. It's already costing organizations data, trust, and time.

What are the different types of prompt injection?

There are three main types of prompt injection: direct, indirect, and stored. Each type describes a different trust surface, which means a different point where an attacker can reach the model.

Direct prompt injection

Diagram titled 'Direct prompt injection attack' showing how malicious input flows into LLM apps and combines with malicious prompts and system instructions to compromise the underlying LLM. The flow moves from a malicious input source into the LLM apps node, then down into an overlapping zone where malicious prompts merge with legitimate system instructions before reaching the LLM.

Direct prompt injection is what happens when the attacker has access to the prompt itself. 

The malicious instruction is typed in by the attacker as user input.

This is the original form. It's also the form most people picture when they hear "prompt injection." A user telling a chatbot to ignore its system prompt. A researcher extracting hidden instructions. A red-teamer probing a model's guardrails.

Direct injection still happens. It still works against consumer-facing chatbots, internal AI tools with weak isolation, and anything that exposes a model to untrusted user input. But it isn't the dominant enterprise threat surface anymore.

Indirect prompt injection

and now this one same process12:13 AMClaude responded: Diagram titled 'Indirect injection attack' showing how an LLM app receives both user prompts and inputs from one side and training data and documents from the …Diagram titled 'Indirect injection attack' showing how an LLM app receives both user prompts and inputs from one side and training data and documents from the other, where one of the documents is flagged as malicious. These sources combine into a single stream of user prompts, malicious input, and system instructions that is then passed down to the underlying LLM.

Indirect prompt injection is what happens when the agent has access to attacker-controlled content.

The attacker doesn't talk to the model. They place instructions somewhere the model will read on its own. An email. A document. A web page. A Slack message. A retrieved file. A response from another agent. The agent processes the content as part of a normal task and follows the hidden instructions.

FYI: Indirect prompt injection is the dominant pattern in nearly every enterprise prompt injection incident since 2024.

Stored prompt injection

Stored prompt injection is what happens when the system has access to attacker-controlled memory.

The instruction is already in place before the model starts working. It sits in long-term memory, embeddings, knowledge base entries, indexed documents, or agent configuration files. Basically, anywhere the model will read from later. 

Once embedded, it can persist across sessions and reactivate against future, unrelated tasks.

Stored injection is the long-tail risk. It's harder to detect because the original injection event is decoupled from the eventual exploitation. And it's harder to remediate because finding the poisoned record means knowing what to look for.

Comparing prompt injection types vs. techniques

These three types describe how an injection reaches the model. 

The actual construction of the injection is a separate question of technique, which include but aren’t limited to methods like obfuscation, payload splitting, adversarial suffixes, multimodal hiding, multilingual evasion, etc.

Any technique can appear within any type. A multimodal injection can land through user upload (direct) or through retrieved content (indirect). A payload-splitting attack can be typed in or planted.

How does prompt injection actually work?

instructions from data. Both arrive as natural-language text from the model's perspective. An attacker hides instructions inside content the model processes, and the model follows them, even when those instructions contradict what the developer originally told it to do.

That's the whole vulnerability.

It was first demonstrated in September 2022, when researcher Riley Goodside showed that adding "ignore the above directions" to a translation prompt could redirect the model's behavior. Independent researcher Simon Willison coined the term "prompt injection" shortly after. The next year, Kai Greshake and colleagues demonstrated the same technique works indirectly through content the model retrieves, not just content the user types. 

Here's what changed since then:

The model isn't the endpoint anymore. 

Agents are. Here’s why. 

AI agents can read files, browse the web, call APIs, query databases, and trigger actions through tool integrations and the Model Context Protocol. An injection that used to make a chatbot say something embarrassing can now make an agent send an email, exfiltrate data, or execute code.

Most modern injections don't come through user input at all. 

They arrive through the content the agent reads on its own. Emails, documents, retrieved files, tool outputs from other systems.The agentic shift is the reason why indirect injection is the dominant attack pattern.

There's a clean way to spot when an agent is at structural risk.

Diagram titled 'The lethal trifecta' showing three overlapping circles that together represent the conditions enabling a prompt injection attack: access to private data, the ability to externally communicate, and exposure to untrusted content. Each circle is paired with an icon, padlocks for private data, speech bubbles for external communication, and a flagged document for untrusted content.

Three properties have to be present together: access to private data, exposure to untrusted content, and the ability to communicate externally. Any agent with all three is exploitable. Any agent missing one breaks the attack path.

This pattern is sometimes called the "lethal trifecta," a framing introduced by independent researcher Simon Willison in 2025. It explains nearly every major prompt injection attack on record. We'll see it operationalized across the incident walk-through later in this guide.

What does prompt injection look like in the real world?

Timeline diagram titled 'The prompt injection escalation, 2024-2026' organized into three phases. Phase 1, assistants in use, covers Slack AI from PromptArmor in 2024 where a planted channel message tricks the assistant into linking private data out, and EchoLeak from Aim Labs in 2025 where a hidden email prompt exfiltrates data from Copilot with zero clicks. Phase 2, developer tools, covers Cursor RCE (CVE-2025-49150) in 2025 where a malicious MCP server runs attacker code on a developer's machine, GitHub MCP from Invariant Labs in 2025 where a booby-trapped public issue walks the agent into private repos, and Rules File Backdoor from Pillar Security in 2025 where a poisoned config file hands the assistant hidden commands on repo clone. Phase 3, AI as the weapon, covers Web3 memory poisoning from Singh Patlan and others in 2025 where false memories persist and trigger unauthorized transfers, and ZombAIs from Rehberger in 2024 where injection turns the agent into an attacker-controlled C2 node.

In the real world, prompt injection looks like an ordinary email, Slack message, or config file that hides an instruction an AI agent reads and then acts on. Usually with no malware or broken login anywhere in sight.

That shift, from what a model says to what an agent does, isn't theoretical. The last two years have a record.

The incidents below reset how enterprise security teams think about prompt injection. Taken in order, they trace a clear escalation: from leaking data, to executing code, to turning the AI itself into the attacker's tool.

It started with the assistants employees were already using.

Slack AI exfiltration (PromptArmor, 2024)

Vector: A malicious instruction planted in a public Slack channel the attacker spun up themselves.

What happened: When a user later asked Slack AI to retrieve information, the assistant searched public and private channels at once, pulling the user's confidential data and the attacker's instruction into the same context. It obeyed the instruction, encoding the stolen data into a link it placed in its own answer.

Why it matters: The data walked out when the user clicked that link. The template was set: retrieval-backed assistants will read attacker text and treat it as a command, with no malware and no exploit in sight.

EchoLeak (Aim Labs, 2025), Microsoft 365 Copilot

Vector: A hidden prompt buried in an ordinary email.

What happened: Copilot pulled the email into context during routine work and was steered into breaching its own permissions. This is a "scope violation," where the agent uses access it legitimately holds to serve the attacker, acting as a confused deputy.

Why it matters: Sensitive data left the tenant with zero clicks, the first real-world zero-click exfiltration from a production enterprise AI assistant. There's no user mistake to point to and no link to trace; the exposure happens entirely inside a tool the business deployed and trusts. Slack AI still needed the victim to click. EchoLeak needed nothing.

Then the surface moved to where software gets built.

Cursor RCE via MCP, CVE-2025-49150 (2025)

Vector: A malicious Model Context Protocol (MCP) server, reached through Cursor's handling of those connections.

What happened: The injection escalated to remote code execution on the developer's machine, one of thirty-plus coding-assistant CVEs catalogued in the IDEsaster research.

Why it matters: The stakes jump here. This is no longer an assistant leaking a secret. It's an assistant running attacker code on an engineer's laptop.

GitHub MCP "Toxic Agent Flow" (Invariant Labs, 2025)

Vector: A booby-trapped GitHub Issue filed in a public repository.

What happened: When a developer's agent read the issue through the GitHub MCP server, the buried instructions sent it into the user's private repositories and back out through a pull request in the public repo. The server's token carried blanket access, so nothing stopped it crossing that boundary.

Why it matters: A single public issue became a path into private code, the IP and trust boundary the security team is directly accountable for, crossed without a stolen credential or a breached system. The integrations we wire into our agents inherit the agent's reach.

Rules File Backdoor (Pillar Security, 2025)

Vector: Per-project AI config files, .cursorrules and copilot-instructions.md, that assistants read as standing guidance.

What happened: Those files were shown to smuggle hidden directions. A developer who cloned an infected repo and opened it in an AI IDE handed the assistant a poisoned rulebook, which could fire shell commands under the guise of project setup.

Why it matters: The dependency you didn't audit isn't just a library anymore. It's any file an AI tool consults on its way to acting.

And then the injection stopped being a single event.

Web3 AI agent memory poisoning (Singh Patlan et al., 2025)

Vector: Injection written into an agent's long-term memory rather than a single prompt.

What happened: Attackers seeded false "memories" that survived from one session to the next, later nudging the agent into actions its operator never authorized, including leaked data and, in documented cases, transferred assets.

Why it matters: The failure mode here isn't a leak. It's money moving on an instruction no one approved. The injection and the damage came unstuck in time: a quiet contamination in one interaction detonated later, on tasks with no obvious link to where it began.

ZombAIs: prompt injection to C2 (Rehberger, 2024)

Vector: Indirect injection aimed at an agent with hands on the machine (Claude Computer Use).

What happened: The planted instructions wired the agent into an attacker's command-and-control loop, turning the assistant into a node the attacker could steer.

Why it matters: The AI stops being the target and becomes the weapon. A prompt-injectable agent is useful to an adversary as infrastructure, not just as a victim.

The pattern across all seven is identical.

The instruction arrives through an input the agent was designed to read. The agent processes it as part of legitimate work. And then it acts. It sends the link, spawns the process, crosses into the private repo, executes the transfer, phones the C2. The lethal trifecta is operational: access to private data, exposure to untrusted content, and a way to communicate out.

Different products, different surfaces, same structure. And in every case, the damage landed not when the model was fooled, but when the agent took action.

What's the difference between prompt injection and jailbreaking?

Prompt injection is the mechanism. Jailbreaking is one possible goal.

Prompt injection vs. jailbreaking
Prompt injection Jailbreaking
What it is The mechanism: untrusted text the model treats as instructions A goal: getting the model to break its safety rules
Attacker needs Any path to content the model reads Access to influence the prompt
Typical target Data, agent actions, memory, other agents The model's guardrails
Delivery Direct or indirect Usually direct
Relationship The umbrella One thing injection can be used for

Prompt injection is the structural vulnerability. 

As explained above, an LLM can't reliably separate instructions from data because both arrive as the same kind of text. Any attacker who can slip in content the model reads can potentially redirect what it does.

Jailbreaking is one objective inside that vector.

And a narrow one: get the model to bypass its safety constraints and produce something it shouldn't.

Here's why the distinction matters:

Jailbreaking is only one use of prompt injection. 

The very same mechanism can exfiltrate data, hijack agent actions, poison memory, and propagate instructions across multi-agent systems. Most major incidents between 2024 and 2026 had nothing to do with jailbreaking at all.

To boil it down, jailbreaking is a subset of direct injection, where the attacker types instructions to bypass safety filters. Indirect injection, where the instructions arrive through retrieved content, is the larger and more consequential category today.

Why current prompt injection defenses keep failing

If the news about prompt injection so far has felt grim, this is where it gets honest.

Every major mitigation in the standard playbook has a real ceiling. Some are useful. None solve the problem. Most break in predictable ways once attackers adapt to them.

The table below breaks down each:

Prompt injection defenses and their limitations
Defense How it works Where it breaks
Instruction hierarchy Weights the system prompt above user input, so the model trusts developer instructions first Fails against adversarial inputs that pose as higher-priority instructions or exploit the model's helpfulness training
Input filtering Scans input for known injection patterns and blocks matches Misses anything unfamiliar: encoded payloads, multilingual evasion, and instructions buried in retrieved content the filter never sees
Output validation Constrains output to expected formats Useless when the goal is a side effect, like a tool call or data access, that fires before output is generated
Content segregation Marks trusted and untrusted content separately so the model can tell them apart The model still decides how much weight to give each source, and the boundary markers themselves can be spoofed
Least privilege Restricts the tools and data the model can reach Genuinely limits blast radius, but constrains the model's usefulness in proportion to how much it constrains the attacker
Human-in-the-loop Requires human confirmation for sensitive actions The strongest option here, and the first one disabled in production because it kills UX and breaks autonomy

Now let's consider what the research community is finding.

Even the most sophisticated defenses don't fully close the gap.

Fine-tuning approaches that train models to resist injection do make real progress against everyday attacks, but they buckle under pressure. The strongest published defense, SecAlign, still misses about one in ten optimization-based attacks, the kind built to find the weakest path through a model. Other leading approaches show wider gaps, with attack success rates exceeding 40% against the strongest optimization-based attacks (Chen et al., "SecAlign: Defending Against Prompt Injection with Preference Optimization," 2025).

Plus, recent research has shown a deeper problem: adaptive attacks, where the attacker knows what the defense is doing, bypass more than 90% of published defenses given enough time to optimize (Nasr et al.,”The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against LLM Jailbreaks and Prompt Injections,” 2025). 

The honest read on the state of the field:

"Research is suggesting that an LLM inherently cannot distinguish between an instruction and data provided to help complete the instruction... it may simply be an inherent issue with LLM technology."

Here's what this means for defenders.

Prevention is necessary. It reduces the attack surface, blocks the easy cases, and buys time. Layering these defenses helps. But each layer carries its own failure mode forward, and the attacker who's willing to invest in adaptive techniques will eventually find a path through.

That's the pivot. Prevention is part of the answer. It isn't the whole one.

Breaking down a layered prompt injection defense

Diagram titled 'The anatomy of a layered prompt injection defense' showing three defensive layers alongside what each one catches and misses. Layer 1, architectural prevention, limits what the agent can do; it catches blast radius by boxing the attacker into a smaller set of actions, but misses the injection itself, which still lands. Layer 2, runtime detection, watches what the agent actually does; it catches the consequences such as anomalous tool calls, bad data access, and quiet exfiltration, but misses the injection itself and the model's reasoning. Layer 3, governance, assigns ownership; it catches accountability by tying the risk to audits, owners, and reporting lines, but doesn't stop attacks, it makes sure they're owned.

If prevention alone can't solve prompt injection, what does a real defense look like?

It looks layered. 

Three layers, each doing a job the others can't: architectural prevention at the model and agent level, runtime detection at the action level, and governance at the program level. None is sufficient alone. 

Together they cut risk in ways no single approach can.

Architectural prevention

Architectural prevention limits what an agent can do so a successful injection has less to work with. It doesn't try to spot malicious instructions or filter them out. It treats untrusted content as untrusted by design.

How it works:

  • Capability-based architectures separate planning from execution. The agent commits to which tools it'll use before it touches attacker-controlled content.
  • Dual-model designs wall off the privileged model that takes actions from a quarantined one that reads external data.
  • Information-flow controls enforce strict rules about what can pass between trusted instructions and untrusted inputs.

What it catches: The blast radius. Even a successful injection can only reach what the architecture already permits, so the attacker is boxed into a far smaller set of actions.

What it misses: The injection itself. It still lands inside a well-architected agent; the design just caps what it can do. And these patterns have to be built in from the start, so retrofitting them onto existing agents is hard.

Runtime detection

Runtime detection catches what prevention misses by watching what the agent actually does once it's running. The injection is invisible, since it happens in model context where syscall-level instrumentation can't see. But injections produce actions, and actions touch the system.

How it works:

  • Tool and system calls flag actions that don't fit the task, like an agent that usually summarizes documents suddenly firing API calls.
  • File and data access catches the agent reaching for data it has no business touching.
  • Network egress surfaces data leaving through a channel that looks legitimate.
  • Behavioral baselines measure each action against the agent's normal patterns, so deviation stands out.

What it catches: the consequences of a successful injection as they happen. Anomalous tool use, data moving where it shouldn't, quiet exfiltration. The damage is visible because the damage touches the system.

What it misses: The injection itself, the model's reasoning, the attention patterns behind the bad call. Runtime detection sees outcomes, not intent. You catch the damage, not the manipulation that caused it.

Governance integration

Governance keeps prompt injection from becoming a risk everyone acknowledges but no one owns. It maps the threat onto the accountability structures you already run, instead of standing up a separate track for AI.

That mapping already exists:

The payoff is ownership. Once prompt injection lives inside frameworks with audits, control owners, and reporting lines, it gets handled like any other tracked risk: assigned, measured, resolved. Treat it as exotic and it fragments across teams with no clear owner. Treat it as connected and it resolves like everything else you're accountable for.

How to operationalize a prompt injection defense program

Diagram titled 'How to implement prompt injection defense' showing three stages arranged as ascending steps. Stage 1, close the accountability gap, asks whether you can reconstruct what an agent did and why, covering what input triggered it, what tool acted against what resource, and whether it was authorized. Stage 2, instrument the agents, logs every action and builds a baseline of normal across tool calls and data access, so that deviation from normal tools, sequence, and data becomes a signal. Stage 3, build the program, turns telemetry into an owned, operating program where findings are assigned, measured, and resolved, and mapped to the frameworks you answer to.

Operationalizing a prompt injection defense program means:

  • Closing the accountability gap
  • Instrumenting agents so you can reconstruct what they did and why
  • Wrapping that telemetry in a program that assigns, measures, and resolves the risk like any other

The right place to start is the accountability gap.

It's what the Five Eyes guidance flags as the core problem. When something goes wrong with an agent, security teams need to reconstruct what it did, why, and with what authority. Traditional audit logs don't capture that. Agentic decisions move through probabilistic reasoning chains, and those chains don't map cleanly to the "who did what when" records SOCs are built around.

In practice, an agent takes an action that touches sensitive data. To reconstruct it, the auditor needs to know:

  • Which input triggered the decision
  • Which tool was called, against which resource
  • Whether the action was authorized at the time

But the agent may not be able to explain itself, and the logs may show the tool call without the reasoning behind it. Reconstructing that chain takes effort traditional incident response was never designed for.

Behavioral observability narrows the gap, though it never fully closes it.

Logging every action an agent takes, tool calls, data accesses, and reasoning steps where they're retrievable, gives the SOC and the auditor something to work with. Baselines then make anomaly detection tractable:

  • What tools does this agent normally call?
  • In what sequence?
  • Against what data?

Once you have that baseline, anything that breaks the pattern stands out as worth investigating. Just know the limit: some of an agent's reasoning can't be traced yet. Observability gets you close, but it's not the whole answer, at least not until the research catches up.

The program is what gets built on top of that foundation.

The clearest signal of maturity isn't which controls are in place. It's whether the program produces a short, high-confidence list of risks that get resolved, rather than a long backlog of theoretical findings that grows faster than it shrinks.

In practice, a mature program shows a consistent set of traits:

  • Threat modeling for agentic systems happens before deployment, using methods built for agent risk.
  • Agent identity, access, and tool permissions are a distinct access-management category, not an afterthought of human IAM.
  • Telemetry captures complete agent action chains, not just errors.
  • Behavioral baselines exist for every production agent.
  • Action-layer detection is wired into existing SOC workflows, not run as a standalone tool.
  • Findings map to the governance frameworks the organization already answers to.
  • Cloud security, AppSec, AI program owners, and the SOC stay aligned.

These are markers, not a checklist: a program can hit one and still be immature, while one missing most of them isn't operational yet.

The platform is the foundation. The program is built on top.

Neither finishes the job alone. The platform without the program is a tool nobody owns. The program without the platform is a policy nobody can enforce. Together, they give an organization what it needs to deploy agents responsibly and respond when something goes wrong.

How is prompt injection evolving?

Prompt injection is evolving toward a wider attack surface and away from easy fixes. As agents connect to more tools and to each other, the ways to reach them multiply, and the defense research, while improving, still can't fully stop it.

Prompt injection isn't static. The attack surface is growing, the defense research is moving, and three shifts matter most for the next 12 to 24 months.

MCP is multiplying the attack surface.

The Model Context Protocol is now the dominant way to connect agents to tools and data. Every server an agent talks to is potential exposure: tool descriptions, server responses, and metadata all get read by the model and can carry an instruction it acts on. 

Cursor RCE was the early signal, turning a malicious MCP server into remote code execution. As adoption accelerates, agents will reach more servers, and most won't be vetted for injection.

Multi-agent systems compound the trust problem.

When agents call other agents, trust chains propagate. One compromised upstream agent corrupts every downstream agent that treats its output as authoritative. 

The threat model shifts from "an attacker reaches my agent" to "an attacker reaches any agent in my dependency graph," including third-party agents no one audited. Injection becomes a supply chain problem.

The research frontier is shifting toward architecture.

Defense is moving from filters to architecture. That's the right direction, but not a finished answer. 

Prompt injection remains unsolved for fully autonomous agents in high-stakes settings, which is why Five Eyes advises incremental deployment with human oversight at consequential decisions. The footprint is growing faster than the defenses. Teams that plan for that will be better positioned than those waiting for the next model to fix it.

Prompt injection FAQs

FAQs

Like what you see?