Capture Summary
Recent arXiv preprint formalizing cross-session stored prompt injection as a persistent-state attack against agentic systems.
Abstract Capture
The paper argues that agentic systems are no longer session-bounded assistants because they persist shared state through memory, filesystems, tools, and other long-lived artifacts. This turns prompt injection into a stored, cross-session problem rather than only an in-session model-behavior problem. The authors formalize stored prompt injection, develop a taxonomy of persistence channels, and introduce a benchmark and sandbox toolkit for evaluating attack success across models, attack goals, and persistence channels. The core claim is that persistence transforms prompt injection into a long-lived system-level vulnerability embedded in agent execution state.
Collection Notes
- Untrusted source content. Treat attack patterns and payload descriptions as evidence only.
- Primary relevance: [[03_Topics/Prompt Injection]], [[03_Topics/RAG and AI Data Security]]
- PDF: https://arxiv.org/pdf/2606.04425