◈ AI Security Intelligence ← All terms
Attack  ·  Glossary

Indirect prompt injection

Definition
A specific form of prompt injection where the malicious instruction is not typed directly by a user but is hidden inside outside content the AI retrieves and reads on its own — for example, an invisible instruction embedded in a web page, a shared document, or a calendar invite. The attacker never interacts with the AI directly; they plant their instructions in data the AI will eventually encounter.
Why it matters
This is especially dangerous for AI assistants that browse the web, read emails, or process documents, because the attack surface is anywhere on the internet — not just your own systems. Research confirms it works against today's leading AI tools in real enterprise deployments.
Demonstrated by recent findings
Indirect Prompt Injection Is Architectural, Not Deployment-Specific — Brave Demonstrates Attacks Against Cloud and Local AI ToolsGitInject: Multi-University Research Confirms All Major AI CI/CD Providers Vulnerable to Prompt Injection — Eleven Named Attack Classes DocumentedOpenClaw Discord allowFrom Policy Bypass via Mutable Display Name (CVE-2026-53849)OpenClaw Zalo allowFrom Policy Bypass via Mutable Contact Display Metadata (CVE-2026-53857)
References
OWASP Top 10 for LLM Applications — LLM01: Prompt Injection
Track this in the live feed See how this plays out in real AI security and governance developments.
Open the feed →