What happened
A paper by Ye, Cui and Hadfield-Menell accepted at ICML 2026 (arXiv:2603.12277), published to the web on or around June 24–25, 2026, proves that current LLMs identify message roles primarily by writing style and tone rather than by formal role tags (system/user/tool). Attackers can embed content in tool outputs or external data that mimics the stylistic signature of the system prompt or user turns, causing the model to execute it as a trusted instruction. The paper introduces 'CoT Forgery' — injecting fake chain-of-thought reasoning that the model mistakes for its own prior thoughts — and shows that destyling (altering the writing style of injected content) reduces attack success from 61% down to ~10%, confirming style is the dominant signal.
Why it matters
This is a structural flaw in how LLMs perceive roles, not a prompt-engineering gap that can be patched with better system-prompt wording. Any deployed LLM agent that processes external data (web pages, emails, documents, tool outputs) is potentially vulnerable. The PoC shows high baseline success rates (61%) on frontier models and provides a mechanistic explanation for why prior mitigations fail. CoT Forgery is a novel attack vector against reasoning-chain models (o1, Claude 3.x, Gemini 2.x) where fabricated inner thoughts can steer autonomous actions.
Attack vector
Malicious content embedded in tool outputs, web-fetched pages, emails, or documents is stylistically formatted to mimic system/user role markers, causing the LLM agent to execute the injected instruction; CoT Forgery variant injects fake reasoning traces
Affected systems
All major LLM deployments that process mixed-role context windows; especially agentic systems using chain-of-thought reasoning (GPT-4o, Claude, Gemini, etc.)
Mitigation
Apply destyling to tool/external-data outputs before injection into the context window (reduces attack success rate from 61% to ~10%). Treat all retrieved content as adversarial. Sandbox agent execution. Monitor outputs for anomalous instruction-following patterns. No model-level patch currently available. Paper: https://arxiv.org/abs/2603.12277