pith. sign in

arxiv: 2606.04425 · v1 · pith:A5PNBDR2new · submitted 2026-06-03 · 💻 cs.CR · cs.AI

What If Prompt Injection Never Left? Exploring Cross-Session Stored Prompt Injection in Agentic Systems

Yuanbo Xie , Tianyun Liu , Yingjie Zhang , Suchen Liu , Yulin Li , Liya Su , Tingwen Liu This is my paper

Pith reviewed 2026-06-28 06:08 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords prompt injectionagentic systemsstored attackscross-session vulnerabilitiesLLM securitypersistent state
0
0 comments X

The pith

Prompt injection can persist across sessions in agentic systems by embedding in their state.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper argues that agentic systems, which maintain state like memories and files across sessions, allow prompt injections to persist and affect future interactions. This shifts the threat from a one-time model issue to an ongoing system vulnerability. A sympathetic reader would care because it means attackers can plant instructions that continue to influence the agent long after the initial contact ends, expanding the risks of these systems.

Core claim

Inspired by stored cross-site scripting, the authors introduce cross-session stored prompt injection, formalize it, develop a taxonomy of persistence channels, and create a benchmark showing that such injections can silently influence future executions in agentic systems.

What carries the argument

cross-session stored prompt injection, the mechanism by which adversarial prompt content persists in agent execution state and affects later sessions.

If this is right

  • Persistence channels such as memories and filesystems can carry adversarial content across sessions.
  • The attack surface expands from single-session model threats to long-lived system vulnerabilities.
  • Quantitative evaluation across models shows varying success rates depending on persistence methods and goals.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • System designers may need to implement sanitization for all persistent state to prevent such attacks.
  • This could lead to new security requirements for agentic platforms similar to input validation in web apps.
  • Future agent designs might separate user-controlled state from execution instructions more strictly.

Load-bearing premise

Agentic systems maintain modifiable persistent state that can carry and execute adversarial prompt content across sessions without built-in sanitization.

What would settle it

An experiment in which an injected prompt is stored in persistent state but produces no effect on subsequent agent executions would disprove the claim.

Figures

Figures reproduced from arXiv: 2606.04425 by Liya Su, Suchen Liu, Tianyun Liu, Tingwen Liu, Yingjie Zhang, Yuanbo Xie, Yulin Li.

Figure 1
Figure 1. Figure 1: Cross-session Stored Prompt Injection as the Agentic-System Analogue of Stored XSS. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of Stored Prompt Injection Lifecycle. [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The Architecture of SPI-Benchmark’s evaluation pipeline. [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: E2E-ASR by attack goal across three models. [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Activation Rate(AR) by attack goal. with substantial differences in AR (56–92%), sug￾gesting model-dependent behavior in interpreting task scope. 5.4 RQ3: Persistent Channel Analysis Working Memory (Direct) Archival Memory (Conditional) File-backed Context (Direct) 0 10 20 30 40 50 60 70 E2E-ASR (%) 46.3 42.6 37.0 35.2 31.5 29.6 40.7 25.9 55.6 GLM-5.1 GPT-5-mini MiniMax-M2.7 [PITH_FULL_IMAGE:figures/full_… view at source ↗
Figure 6
Figure 6. Figure 6: E2E-ASR by persistent channel. The channel comparison ( [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Overall SPI attack success across 3 models. [PITH_FULL_IMAGE:figures/full_fig_p014_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: WSR by attack goal and attack type across models. [PITH_FULL_IMAGE:figures/full_fig_p015_9.png] view at source ↗
read the original abstract

Modern agentic systems transform LLMs from session-bounded assistants into stateful systems that persist and evolve shared world state across sessions through memories, filesystems, tools, and other long-lived contextual artifacts. This shift fundamentally expands the attack surface of prompt injection. However, prior works on prompt injection have largely focused on model-level threats within a single session, overlooking how cross-session persistent system state fundamentally changes the system-level risk of agentic systems. Inspired by stored cross-site scripting in web systems, we introduce cross-session stored prompt injection, where a successful injection can persist within agentic system state and silently influence future executions long after the original attacker interaction has ended. To systematically study this threat, we formalize stored prompt injection and develop a taxonomy of how adversarial content persists and affects agentic systems across sessions. We further develop a benchmark and sandbox toolkit to evaluate the risks of stored prompt injection, enabling quantitative analysis of attack success across different models, attack goals, and persistence channels. Our findings highlight that persistence transforms prompt injection from an ephemeral model-level threat into a long-lived system-level vulnerability embedded within agent execution state. We hope this work draws broader attention to this emerging threat and motivates the community to systematically study and mitigate system risks arising from persistence in agentic systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper claims that agentic LLM systems with modifiable persistent state (memories, filesystems, tools) convert prompt injection from an ephemeral single-session model-level threat into a cross-session stored system-level vulnerability, analogous to stored XSS. It formalizes stored prompt injection, presents a taxonomy of persistence channels, develops a benchmark and sandbox toolkit for quantitative evaluation across models and goals, and concludes that persistence embeds the vulnerability in agent execution state.

Significance. If the formalization holds, the work is significant for extending the prompt injection threat model to account for persistent state in agentic systems and for supplying a benchmark and sandbox that can support reproducible study of these risks. The taxonomy provides a structured framework grounded in web-security analogies, and the toolkit directly addresses the need for tools to analyze cross-session effects.

major comments (1)
  1. [Abstract and Benchmark section] Abstract and Benchmark section: the manuscript states that the benchmark enables quantitative analysis and that 'our findings highlight' the transformation of prompt injection into a long-lived system-level vulnerability, yet supplies no attack success rates, model comparisons, validation data, or error analysis. This is load-bearing for the central claim that persistence produces practically significant cross-session risks.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed review and for identifying this critical gap. We agree that the absence of quantitative results undermines the central claims and will revise the manuscript to include them.

read point-by-point responses

  1. Referee: [Abstract and Benchmark section] Abstract and Benchmark section: the manuscript states that the benchmark enables quantitative analysis and that 'our findings highlight' the transformation of prompt injection into a long-lived system-level vulnerability, yet supplies no attack success rates, model comparisons, validation data, or error analysis. This is load-bearing for the central claim that persistence produces practically significant cross-session risks.

    Authors: We acknowledge the referee's observation is correct: the submitted manuscript describes the benchmark and sandbox toolkit but does not report attack success rates, model comparisons, validation data, or error analysis in the abstract or benchmark section. The empirical evaluation was performed but omitted from the initial submission. In the revised version we will add a dedicated 'Benchmark Results' subsection (and update the abstract) that presents attack success rates across models, persistence channels, and attack goals, together with model comparisons, validation methodology, and error analysis to substantiate the claim that persistence converts the threat into a long-lived system-level vulnerability. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper introduces a conceptual threat model for cross-session stored prompt injection, drawing an external analogy to stored XSS without any mathematical derivations, equations, fitted parameters, or predictions. The central claim—that persistence in agentic systems (memories, filesystems, tools) expands the attack surface—follows directly from the stated premise of modifiable persistent state and requires no self-referential reduction or load-bearing self-citation. No steps match the enumerated circularity patterns, as the work is self-contained as a new taxonomy and benchmark grounded outside the paper's own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Central claim rests on the domain assumption that agentic systems expose modifiable persistent state that can be abused by prompt content; the new entity is the stored prompt injection concept itself.

axioms (1)
  • domain assumption Agentic systems maintain and share persistent state across sessions through memories, filesystems, tools, and other long-lived contextual artifacts.
    Invoked in the opening sentences to establish the expanded attack surface.
invented entities (1)
  • cross-session stored prompt injection no independent evidence
    purpose: To name and formalize the persistent variant of prompt injection that survives across sessions.
    New term introduced to capture the threat; no independent evidence provided beyond the conceptual definition.

pith-pipeline@v0.9.1-grok · 5775 in / 1265 out tokens · 36544 ms · 2026-06-28T06:08:53.625607+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

37 extracted references · 2 canonical work pages

  1. [1]

    2024 , eprint=

    MemGPT: Towards LLMs as Operating Systems , author=. 2024 , eprint=

    2024

  2. [2]

    Proceedings of the 36th annual acm symposium on user interface software and technology , pages=

    Generative agents: Interactive simulacra of human behavior , author=. Proceedings of the 36th annual acm symposium on user interface software and technology , pages=

  3. [3]

    Proceedings of the AAAI conference on artificial intelligence , volume=

    Memorybank: Enhancing large language models with long-term memory , author=. Proceedings of the AAAI conference on artificial intelligence , volume=

  4. [4]

    Advances in neural information processing systems , volume=

    Retrieval-augmented generation for knowledge-intensive nlp tasks , author=. Advances in neural information processing systems , volume=

  5. [5]

    International conference on machine learning , pages=

    Retrieval augmented language model pre-training , author=. International conference on machine learning , pages=. 2020 , organization=

    2020

  6. [6]

    Ufo: A ui-focused agent for windows os interaction , author=. Proceedings of the 2025 Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers) , pages=

    2025

  7. [7]

    Forty-second International Conference on Machine Learning , year=

    The Berkeley Function Calling Leaderboard (BFCL): From Tool Use to Agentic Evaluation of Large Language Models , author=. Forty-second International Conference on Machine Learning , year=

  8. [8]

    The Thirteenth International Conference on Learning Representations , year=

    tau-bench: A Benchmark for Tool-Agent-User Interaction in Real-World Domains , author=. The Thirteenth International Conference on Learning Representations , year=

  9. [9]

    CRMA rena: Understanding the Capacity of LLM Agents to Perform Professional CRM Tasks in Realistic Environments

    Huang, Kung-Hsiang and Prabhakar, Akshara and Dhawan, Sidharth and Mao, Yixin and Wang, Huan and Savarese, Silvio and Xiong, Caiming and Laban, Philippe and Wu, Chien-Sheng. CRMA rena: Understanding the Capacity of LLM Agents to Perform Professional CRM Tasks in Realistic Environments. Proceedings of the 2025 Conference of the Nations of the Americas Chap...

    work page doi:10.18653/v1/2025.naacl-long.194 2025

  10. [10]

    2023 , booktitle=

    Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection , author=. 2023 , booktitle=

    2023

  11. [11]

    arXiv preprint arXiv:2211.09527 , year=

    Ignore previous prompt: Attack techniques for language models , author=. arXiv preprint arXiv:2211.09527 , year=

    Pith/arXiv arXiv

  12. [12]

    2025 , eprint=

    Prompt Injection attack against LLM-integrated Applications , author=. 2025 , eprint=

    2025

  13. [13]

    Proceedings of the AAAI Conference on Artificial Intelligence , author=

    MPMA: Preference Manipulation Attack Against Model Context Protocol , volume=. Proceedings of the AAAI Conference on Artificial Intelligence , author=. 2026 , month=. doi:10.1609/aaai.v40i42.40898 , number=

    work page doi:10.1609/aaai.v40i42.40898 2026

  14. [14]

    arXiv preprint arXiv:2508.12538 , year=

    Systematic analysis of mcp security , author=. arXiv preprint arXiv:2508.12538 , year=

    Pith/arXiv arXiv

  15. [15]

    The 6th Workshop of Adversarial Machine Learning on Computer Vision: Safety of Vision-Language Agents , year=

    SkillJect: Automating Stealthy Skill-Based Prompt Injection for Coding Agents with Trace-Driven Closed-Loop Refinement , author=. The 6th Workshop of Adversarial Machine Learning on Computer Vision: Safety of Vision-Language Agents , year=

  16. [16]

    AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for

    Edoardo Debenedetti and Jie Zhang and Mislav Balunovic and Luca Beurer-Kellner and Marc Fischer and Florian Tram. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for. The Thirty-eight Conference on Neural Information Processing Systems Datasets and Benchmarks Track , year=

  17. [17]

    arXiv preprint arXiv:2412.14470 , year=

    Agent-SafetyBench: Evaluating the Safety of LLM Agents , author=. arXiv preprint arXiv:2412.14470 , year=

    Pith/arXiv arXiv

  18. [18]

    Agent Security Bench (

    Hanrong Zhang and Jingyuan Huang and Kai Mei and Yifei Yao and Zhenting Wang and Chenlu Zhan and Hongwei Wang and Yongfeng Zhang , booktitle=. Agent Security Bench (. 2025 , url=

    2025

  19. [19]

    2017 , howpublished =

    2017

  20. [20]

    2023 , journal=

    From Prompt Injections to SQL Injection Attacks: How Protected is Your LLM-Integrated Web Application? , author=. 2023 , journal=

    2023

  21. [21]

    Zou, Wei and Geng, Runpeng and Wang, Binghui and Jia, Jinyuan , booktitle=

  22. [22]

    arXiv preprint arXiv:2402.02716 , year=

    Understanding the planning of llm agents: A survey , author=. arXiv preprint arXiv:2402.02716 , year=

    Pith/arXiv arXiv

  23. [23]

    Memory Injection Attacks on

    Shen Dong and Shaochen Xu and Pengfei He and Yige Li and Jiliang Tang and Tianming Liu and Hui Liu and Zhen Xiang , booktitle=. Memory Injection Attacks on. 2026 , url=

    2026

  24. [24]

    Advances in Neural Information Processing Systems , volume=

    Agentpoison: Red-teaming llm agents via poisoning memory or knowledge bases , author=. Advances in Neural Information Processing Systems , volume=

  25. [25]

    arXiv preprint arXiv:2602.16901 , year=

    Agentlab: Benchmarking llm agents against long-horizon attacks , author=. arXiv preprint arXiv:2602.16901 , year=

    arXiv

  26. [26]

    arXiv preprint arXiv:2602.07398 , year=

    AgentSys: Secure and Dynamic LLM Agents Through Explicit Hierarchical Memory Management , author=. arXiv preprint arXiv:2602.07398 , year=

    arXiv

  27. [27]

    33rd USENIX Security Symposium (USENIX Security 24) , pages=

    Formalizing and benchmarking prompt injection attacks and defenses , author=. 33rd USENIX Security Symposium (USENIX Security 24) , pages=

  28. [28]

    Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=

    Prompt as triggers for backdoor attack: Examining the vulnerability in language models , author=. Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=

    2023

  29. [29]

    Science China Information Sciences , volume=

    The rise and potential of large language model based agents: A survey , author=. Science China Information Sciences , volume=. 2025 , publisher=

    2025

  30. [30]

    Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=

    Webinject: Prompt injection attack to web agents , author=. Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=

    2025

  31. [31]

    Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=

    Topicattack: An indirect prompt injection attack via topic transition , author=. Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=

    2025

  32. [32]

    arXiv preprint arXiv:2603.12614 , year=

    ChainFuzzer: Greybox Fuzzing for Workflow-Level Multi-Tool Vulnerabilities in LLM Agents , author=. arXiv preprint arXiv:2603.12614 , year=

    arXiv

  33. [33]

    Information and Software Technology , volume=

    Current state of research on cross-site scripting (XSS)--A systematic literature review , author=. Information and Software Technology , volume=. 2015 , publisher=

    2015

  34. [34]

    ACM Transactions on Information Systems , volume=

    A survey on the memory mechanism of large language model-based agents , author=. ACM Transactions on Information Systems , volume=. 2025 , publisher=

    2025

  35. [35]

    arXiv preprint arXiv:2601.05504 , year=

    Memory poisoning attack and defense on memory based llm-agents , author=. arXiv preprint arXiv:2601.05504 , year=

    arXiv

  36. [36]

    arXiv preprint arXiv:2504.19678 , year=

    From llm reasoning to autonomous ai agents: A comprehensive review , author=. arXiv preprint arXiv:2504.19678 , year=

    Pith/arXiv arXiv

  37. [37]

    arXiv preprint arXiv:2603.15125 , year=

    From storage to steering: Memory control flow attacks on LLM agents , author=. arXiv preprint arXiv:2603.15125 , year=

    Pith/arXiv arXiv