{"id":"https://openalex.org/W7138840503","doi":"https://doi.org/10.48550/arxiv.2603.15714","title":"How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition","display_name":"How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition","publication_year":2026,"publication_date":"2026-03-16","ids":{"openalex":"https://openalex.org/W7138840503","doi":"https://doi.org/10.48550/arxiv.2603.15714"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.15714","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.15714","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.15714","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5129949120","display_name":"Mateusz Dziemian","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Dziemian, Mateusz","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129943882","display_name":"Maxwell Lin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lin, Maxwell","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130142781","display_name":"Xiaohan Fu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Fu, Xiaohan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002011236","display_name":"Micha l Nowak","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Nowak, Micha","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130076334","display_name":"Nick Winter","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Winter, Nick","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130212118","display_name":"Eliot Jones","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jones, Eliot","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129861897","display_name":"Andy Zou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zou, Andy","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129953646","display_name":"Lama Ahmad","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ahmad, Lama","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5010790447","display_name":"Kamalika Chaudhuri","orcid":"https://orcid.org/0000-0001-9646-7710"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chaudhuri, Kamalika","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129828289","display_name":"Sahana Chennabasappa","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chennabasappa, Sahana","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130128223","display_name":"Xander Davies","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Davies, Xander","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130072683","display_name":"Lauren Deason","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Deason, Lauren","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035088357","display_name":"Benjamin Edelman","orcid":"https://orcid.org/0000-0003-0573-2836"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Edelman, Benjamin L.","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129918240","display_name":"Tanner Emek","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Emek, Tanner","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129991105","display_name":"Ivan Evtimov","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Evtimov, Ivan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130012588","display_name":"Jim Gust","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gust, Jim","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067201111","display_name":"Maia Hamin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hamin, Maia","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090420246","display_name":"Kan He","orcid":"https://orcid.org/0000-0002-4931-2115"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"He, Kat","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5000864191","display_name":"Klaudia Krawiecka","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Krawiecka, Klaudia","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129787203","display_name":"Riccardo Patana","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Patana, Riccardo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102954205","display_name":"Neil Perry","orcid":"https://orcid.org/0009-0009-4254-4712"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Perry, Neil","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050969761","display_name":"Troy Peterson","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Peterson, Troy","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064279600","display_name":"Xiangyu Qi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Qi, Xiangyu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5004646269","display_name":"Javier Rando","orcid":"https://orcid.org/0000-0002-2723-7660"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rando, Javier","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130060246","display_name":"Zifan Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Zifan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129964999","display_name":"Zihan Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Zihan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130092165","display_name":"Spencer Whitman","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Whitman, Spencer","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5014258495","display_name":"Eric Winsor","orcid":"https://orcid.org/0000-0003-1922-4648"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Winsor, Eric","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5009367143","display_name":"Arman Zharmagambetov","orcid":"https://orcid.org/0000-0002-2182-8291"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zharmagambetov, Arman","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130101625","display_name":"Matt Fredrikson","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Fredrikson, Matt","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5129947695","display_name":"Zico Kolter","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kolter, Zico","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":31,"corresponding_author_ids":["https://openalex.org/A5129949120"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.17399999499320984,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.17399999499320984,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.15760000050067902,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.13169999420642853,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/compromise","display_name":"Compromise","score":0.6528000235557556},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.5723999738693237},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.5631999969482422},{"id":"https://openalex.org/keywords/competition","display_name":"Competition (biology)","score":0.5085999965667725},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.3160000145435333},{"id":"https://openalex.org/keywords/open-source","display_name":"Open source","score":0.3158000111579895},{"id":"https://openalex.org/keywords/deterrence-theory","display_name":"Deterrence theory","score":0.31139999628067017}],"concepts":[{"id":"https://openalex.org/C46355384","wikidata":"https://www.wikidata.org/wiki/Q726686","display_name":"Compromise","level":2,"score":0.6528000235557556},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.5723999738693237},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.5631999969482422},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.546500027179718},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.545799970626831},{"id":"https://openalex.org/C91306197","wikidata":"https://www.wikidata.org/wiki/Q45767","display_name":"Competition (biology)","level":2,"score":0.5085999965667725},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.4203999936580658},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.41909998655319214},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.3160000145435333},{"id":"https://openalex.org/C3018397939","wikidata":"https://www.wikidata.org/wiki/Q3644502","display_name":"Open source","level":3,"score":0.3158000111579895},{"id":"https://openalex.org/C60643870","wikidata":"https://www.wikidata.org/wiki/Q1949683","display_name":"Deterrence theory","level":2,"score":0.31139999628067017},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.3068000078201294},{"id":"https://openalex.org/C2778571376","wikidata":"https://www.wikidata.org/wiki/Q1355821","display_name":"Frontier","level":2,"score":0.29899999499320984},{"id":"https://openalex.org/C91262260","wikidata":"https://www.wikidata.org/wiki/Q528074","display_name":"End user","level":2,"score":0.2892000079154968},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.2867000102996826},{"id":"https://openalex.org/C2778755073","wikidata":"https://www.wikidata.org/wiki/Q10858537","display_name":"Scale (ratio)","level":2,"score":0.2800000011920929},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.2793999910354614},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.2694999873638153},{"id":"https://openalex.org/C39549134","wikidata":"https://www.wikidata.org/wiki/Q133080","display_name":"Public relations","level":1,"score":0.26030001044273376},{"id":"https://openalex.org/C2776736423","wikidata":"https://www.wikidata.org/wiki/Q326498","display_name":"Competition law","level":3,"score":0.25619998574256897}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.15714","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.15714","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.15714","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.15714","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"LLM":[0],"based":[1],"agents":[2],"are":[3],"increasingly":[4],"deployed":[5],"in":[6,35,76,186,233],"high":[7,202,205],"stakes":[8],"settings":[9],"where":[10,31],"they":[11],"process":[12],"external":[13,36],"data":[14,255],"sources":[15],"such":[16],"as":[17,100],"emails,":[18],"documents,":[19],"and":[20,94,124,179,191,204,211,260,268],"code":[21],"repositories.":[22],"This":[23,87],"creates":[24],"exposure":[25],"to":[26,57,96,162,216,246,271],"indirect":[27],"prompt":[28],"injection":[29],"attacks,":[30],"adversarial":[32],"instructions":[33],"embedded":[34],"content":[37],"manipulate":[38],"agent":[39,119],"behavior":[40],"without":[41],"user":[42,79],"awareness.":[43],"A":[44],"critical":[45],"but":[46],"underexplored":[47],"dimension":[48],"of":[49,74,91,176],"this":[50,114],"threat":[51],"is":[52],"concealment:":[53],"since":[54],"users":[55,89],"tend":[56],"observe":[58],"only":[59],"an":[60,64],"agent's":[61],"final":[62,78],"response,":[63],"attack":[65,135,153,170,254],"can":[66],"conceal":[67],"its":[68],"existence":[69],"by":[70],"presenting":[71],"no":[72],"clue":[73],"compromise":[75],"the":[77,92,228,261,265],"facing":[80],"response":[81],"while":[82],"successfully":[83],"executing":[84],"harmful":[85,98],"actions.":[86],"leaves":[88],"unaware":[90],"manipulation":[93],"likely":[95],"accept":[97],"outcomes":[99],"legitimate.":[101],"We":[102,167,225,251],"present":[103],"findings":[104],"from":[105,157],"a":[106],"large":[107],"scale":[108],"public":[109],"red":[110,222],"teaming":[111,223],"competition":[112,128,229],"evaluating":[113],"dual":[115],"objective":[116],"across":[117,145,174],"three":[118],"settings:":[120],"tool":[121],"calling,":[122],"coding,":[123],"computer":[125],"use.":[126],"The":[127],"attracted":[129],"464":[130],"participants":[131],"who":[132],"submitted":[133],"272000":[134],"attempts":[136],"against":[137,240],"13":[138],"frontier":[139,258],"models,":[140],"yielding":[141],"8648":[142],"successful":[143,238],"attacks":[144,239],"41":[146,177],"scenarios.":[147],"All":[148],"models":[149],"proved":[150],"vulnerable,":[151],"with":[152,196,236,256,264],"success":[154],"rates":[155],"ranging":[156],"0.5%":[158],"(Claude":[159],"Opus":[160],"4.5)":[161],"8.5%":[163],"(Gemini":[164],"2.5":[165,198],"Pro).":[166],"identify":[168],"universal":[169],"strategies":[171],"that":[172,242],"transfer":[173,245],"21":[175],"behaviors":[178],"multiple":[180],"model":[181],"families,":[182],"suggesting":[183],"fundamental":[184],"weaknesses":[185],"instruction":[187],"following":[188],"architectures.":[189],"Capability":[190],"robustness":[192,273],"showed":[193],"weak":[194],"correlation,":[195],"Gemini":[197],"Pro":[199],"exhibiting":[200],"both":[201],"capability":[203],"vulnerability.":[206],"To":[207],"address":[208],"benchmark":[209],"saturation":[210],"obsoleteness,":[212],"we":[213],"will":[214],"endeavor":[215],"deliver":[217],"quarterly":[218],"updates":[219],"through":[220],"continued":[221],"competitions.":[224],"open":[226],"source":[227,249],"environment":[230],"for":[231],"use":[232],"evaluations,":[234],"along":[235],"95":[237],"Qwen":[241],"did":[243],"not":[244],"any":[247],"closed":[248],"model.":[250],"share":[252],"model-specific":[253],"respective":[257],"labs":[259],"full":[262],"dataset":[263],"UK":[266],"AISI":[267],"US":[269],"CAISI":[270],"support":[272],"research.":[274]},"counts_by_year":[],"updated_date":"2026-05-05T08:41:31.759640","created_date":"2026-03-20T00:00:00"}