Indirect Prompt Injection
Quick Answer
Indirect prompt injection is an attack where malicious instructions reach an LLM agent through content it ingests as data — a webpage, retrieved document, email, tool response, or memory record — rather than through the user's prompt. The model interprets that attacker-controlled content as operational instruction and acts on it under the victim user's credentials. Also known as XPIA or second-order prompt injection, it is a confused-deputy vulnerability arising from the missing isolation boundary between instructions and data inside a single LLM context.
Indirect Prompt Injection
Indirect prompt injection is an attack class against LLM agents in which the malicious instructions are not typed by the user but are embedded in third-party content the agent later ingests as data — a webpage, retrieved document, email, tool response, calendar invite, or memory record. The model fails to maintain an isolation boundary between instructions and data, treats the attacker-controlled content as operational guidance, and takes actions under the victim user's credentials. The term is also written as XPIA, indirect injection, or second-order prompt injection. It differs from direct prompt injection: the user is the victim, not the attacker, and the payload author is a third party whose content the agent happens to read.
Tool hijacking, memory poisoning, and multi-agent prompt injection are downstream specializations of the same mechanism, distinguished by the channel — tool metadata, persistent memory, or peer-agent message — that carries the payload.
See also
- tool hijacking — tool-selection variant where injected content steers the agent to the wrong tool
- memory poisoning — deferred-execution variant carried in persistent agent memory
- multi-agent prompt injection — multi-agent variant riding peer-to-peer messages
- RAG data exfiltration — canonical retrieval channel for indirect injection