{"id":"https://openalex.org/W7123676169","doi":"https://doi.org/10.48550/arxiv.2601.07072","title":"Overcoming the Retrieval Barrier: Indirect Prompt Injection in the Wild for LLM Systems","display_name":"Overcoming the Retrieval Barrier: Indirect Prompt Injection in the Wild for LLM Systems","publication_year":2026,"publication_date":"2026-01-11","ids":{"openalex":"https://openalex.org/W7123676169","doi":"https://doi.org/10.48550/arxiv.2601.07072"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2601.07072","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.07072","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2601.07072","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5091522099","display_name":"Hongyan Chang","orcid":"https://orcid.org/0000-0002-0569-0173"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Chang, Hongyan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089624047","display_name":"Ergute Bao","orcid":"https://orcid.org/0000-0002-4438-8065"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Bao, Ergute","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101013720","display_name":"Xinjian Luo","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Luo, Xinjian","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5122978049","display_name":"Ting Yu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yu, Ting","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5091522099"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.288100004196167,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.288100004196167,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.09749999642372131,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.0723000019788742,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7242000102996826},{"id":"https://openalex.org/keywords/embedding","display_name":"Embedding","score":0.638700008392334},{"id":"https://openalex.org/keywords/fragment","display_name":"Fragment (logic)","score":0.5292999744415283},{"id":"https://openalex.org/keywords/natural-language","display_name":"Natural language","score":0.3986000120639801},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.34950000047683716},{"id":"https://openalex.org/keywords/question-answering","display_name":"Question answering","score":0.3488999903202057}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7900000214576721},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7242000102996826},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.638700008392334},{"id":"https://openalex.org/C2776235265","wikidata":"https://www.wikidata.org/wiki/Q18392052","display_name":"Fragment (logic)","level":2,"score":0.5292999744415283},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.4269999861717224},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.40209999680519104},{"id":"https://openalex.org/C195324797","wikidata":"https://www.wikidata.org/wiki/Q33742","display_name":"Natural language","level":2,"score":0.3986000120639801},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.34950000047683716},{"id":"https://openalex.org/C44291984","wikidata":"https://www.wikidata.org/wiki/Q1074173","display_name":"Question answering","level":2,"score":0.3488999903202057},{"id":"https://openalex.org/C2776608160","wikidata":"https://www.wikidata.org/wiki/Q4785462","display_name":"Natural (archaeology)","level":2,"score":0.3319999873638153},{"id":"https://openalex.org/C551230270","wikidata":"https://www.wikidata.org/wiki/Q4368942","display_name":"Data retrieval","level":2,"score":0.31610000133514404},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.310699999332428},{"id":"https://openalex.org/C59656382","wikidata":"https://www.wikidata.org/wiki/Q191536","display_name":"Conjunction (astronomy)","level":2,"score":0.25679999589920044}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2601.07072","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.07072","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2601.07072","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.07072","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.6174476742744446,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"models":[2,155,159],"(LLMs)":[3],"increasingly":[4],"rely":[5],"on":[6,97,141,164,211],"retrieving":[7],"information":[8],"from":[9],"external":[10,179],"corpora.":[11],"This":[12],"creates":[13],"a":[14,81,111,196,202,205,215,233,257],"new":[15],"attack":[16,89,94,107,120,123,189],"surface:":[17],"indirect":[18],"prompt":[19],"injection":[20],"(IPI),":[21],"where":[22],"hidden":[23],"instructions":[24],"are":[25,245],"planted":[26],"in":[27,232],"the":[28,45,77,169,249],"corpora":[29],"and":[30,87,104,145,152,160,177,184,198,241],"hijack":[31],"model":[32],"behavior":[33],"once":[34],"retrieved.":[35,54],"Previous":[36],"studies":[37],"have":[38],"highlighted":[39],"this":[40,73,98,165],"risk":[41],"but":[42],"often":[43],"avoid":[44],"hardest":[46],"step:":[47],"ensuring":[48],"that":[49,84,91,109,243],"malicious":[50,78,252],"content":[51,79],"is":[52,59,131],"actually":[53],"In":[55],"practice,":[56],"unoptimized":[57],"IPI":[58,172,194],"rarely":[60],"retrieved":[61],"under":[62,174],"natural":[63,175,206],"queries,":[64],"which":[65],"leaves":[66],"its":[67],"real-world":[68],"impact":[69],"unclear.":[70],"We":[71,236],"address":[72],"challenge":[74],"by":[75],"decomposing":[76],"into":[80,224],"trigger":[82,113],"fragment":[83,90,114],"guarantees":[85],"retrieval":[86,117,148,250,255],"an":[88,102],"encodes":[92],"arbitrary":[93],"objectives.":[95,190],"Based":[96,163],"idea,":[99],"we":[100,167],"design":[101],"efficient":[103],"effective":[105],"black-box":[106],"algorithm":[108],"constructs":[110],"compact":[112],"to":[115,128,208,221,247],"guarantee":[116],"for":[118],"any":[119],"fragment.":[121],"Our":[122],"requires":[124],"only":[125],"API":[126],"access":[127],"embedding":[129,143,154],"models,":[130],"cost-efficient":[132],"(as":[133],"little":[134],"as":[135,195,256],"$0.21":[136],"per":[137],"target":[138],"user":[139,203],"query":[140,207],"OpenAI's":[142],"models),":[144],"achieves":[146],"near-100%":[147],"across":[149],"11":[150],"benchmarks":[151],"8":[153],"(including":[156],"both":[157,182],"open-source":[158],"proprietary":[161],"services).":[162],"attack,":[166],"present":[168],"first":[170],"end-to-end":[171],"exploits":[173],"queries":[176],"realistic":[178],"corpora,":[180],"spanning":[181],"RAG":[183],"agentic":[185],"systems":[186],"with":[187,228],"diverse":[188],"These":[191],"results":[192],"establish":[193],"practical":[197],"severe":[199],"threat:":[200],"when":[201],"issued":[204],"summarize":[209],"emails":[210],"frequently":[212],"asked":[213],"topics,":[214],"single":[216],"poisoned":[217],"email":[218],"was":[219],"sufficient":[220],"coerce":[222],"GPT-4o":[223],"exfiltrating":[225],"SSH":[226],"keys":[227],"over":[229],"80%":[230],"success":[231],"multi-agent":[234],"workflow.":[235],"further":[237],"evaluate":[238],"several":[239],"defenses":[240],"find":[242],"they":[244],"insufficient":[246],"prevent":[248],"of":[251],"text,":[253],"highlighting":[254],"critical":[258],"open":[259],"vulnerability.":[260]},"counts_by_year":[],"updated_date":"2026-01-14T23:44:37.837170","created_date":"2026-01-14T00:00:00"}