{"id":"https://openalex.org/W7160292903","doi":"https://doi.org/10.48550/arxiv.2605.02187","title":"When Alignment Isn't Enough: Response-Path Attacks on LLM Agents","display_name":"When Alignment Isn't Enough: Response-Path Attacks on LLM Agents","publication_year":2026,"publication_date":"2026-05-04","ids":{"openalex":"https://openalex.org/W7160292903","doi":"https://doi.org/10.48550/arxiv.2605.02187"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.02187","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.02187","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.02187","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5060695253","display_name":"Mingyu Luo","orcid":"https://orcid.org/0009-0008-4965-0852"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Luo, Mingyu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135348804","display_name":"Zihan Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Zihan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5104347529","display_name":"Zesen Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Zesen","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135338319","display_name":"Yuchong Xie","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xie, Yuchong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100626935","display_name":"Zhixiang Zhang","orcid":"https://orcid.org/0000-0003-4122-7167"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Zhixiang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135288932","display_name":"Dung Hiu Hilton Yeung","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yeung, Dung Hiu Hilton","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135291346","display_name":"Wai Ip Lai","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lai, Wai Ip","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135380957","display_name":"Ping Chen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Ping","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135401914","display_name":"Ming Wen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wen, Ming","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5048358055","display_name":"Dongdong She","orcid":"https://orcid.org/0000-0001-6655-0468"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"She, Dongdong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":10,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11498","display_name":"Security in Wireless Sensor Networks","score":0.26100000739097595,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11498","display_name":"Security in Wireless Sensor Networks","score":0.26100000739097595,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10714","display_name":"Software-Defined Networks and 5G","score":0.11800000071525574,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.1136000007390976,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/relay","display_name":"Relay","score":0.7117000222206116},{"id":"https://openalex.org/keywords/upstream","display_name":"Upstream (networking)","score":0.5142999887466431},{"id":"https://openalex.org/keywords/downstream","display_name":"Downstream (manufacturing)","score":0.5134000182151794},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4375},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.2606000006198883}],"concepts":[{"id":"https://openalex.org/C2778156585","wikidata":"https://www.wikidata.org/wiki/Q174053","display_name":"Relay","level":3,"score":0.7117000222206116},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6679999828338623},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5803999900817871},{"id":"https://openalex.org/C191172861","wikidata":"https://www.wikidata.org/wiki/Q7899321","display_name":"Upstream (networking)","level":2,"score":0.5142999887466431},{"id":"https://openalex.org/C2776207758","wikidata":"https://www.wikidata.org/wiki/Q5303302","display_name":"Downstream (manufacturing)","level":2,"score":0.5134000182151794},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4375},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.3691999912261963},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.2606000006198883},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.2578999996185303},{"id":"https://openalex.org/C41550386","wikidata":"https://www.wikidata.org/wiki/Q529909","display_name":"Multi-agent system","level":2,"score":0.24469999969005585}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.02187","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.02187","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.02187","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.02187","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.57841956615448}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Bring-Your-Own-Key":[0],"(BYOK)":[1],"agent":[2,30,144],"architectures":[3],"let":[4],"users":[5],"route":[6],"LLM":[7,24],"traffic":[8],"through":[9],"third-party":[10],"relays,":[11],"creating":[12],"a":[13,17,135],"critical":[14],"integrity":[15],"gap:":[16],"malicious":[18],"relay":[19,45],"can":[20,46],"modify":[21],"an":[22],"aligned":[23,56],"response":[25],"after":[26],"generation":[27],"but":[28],"before":[29],"execution.":[31],"We":[32,62],"formalize":[33],"this":[34,64],"post-alignment":[35],"tampering":[36],"threat":[37,65],"and":[38,80,93,115,121],"show":[39,126],"that,":[40],"without":[41],"end-to-end":[42],"integrity,":[43],"the":[44,67,88],"observe,":[47],"suppress,":[48],"or":[49],"replace":[50],"downstream":[51],"messages,":[52],"making":[53],"even":[54],"perfectly":[55],"LLMs":[57],"ineffective":[58],"against":[59],"such":[60],"attacks.":[61],"instantiate":[63],"as":[66],"Relay":[68],"Tampering":[69],"Attack":[70],"(RTA),":[71],"which":[72],"performs":[73],"multi-round":[74],"strategic":[75],"rewriting,":[76],"minimal":[77],"security-critical":[78],"edits,":[79],"stealth":[81],"restoration":[82],"by":[83],"resubmitting":[84],"tampered":[85],"outputs":[86],"to":[87,101],"upstream":[89],"LLM.":[90],"Across":[91],"AgentDojo":[92],"ASB":[94],"with":[95,108],"six":[96],"LLMs,":[97],"RTA":[98,141],"achieves":[99],"up":[100],"99.1%":[102],"attack":[103],"success,":[104],"outperforming":[105],"prompt-injection":[106],"baselines":[107],"modest":[109],"overhead.":[110],"Case":[111],"studies":[112],"on":[113],"OpenClaw":[114],"Claude":[116],"Code":[117],"demonstrate":[118],"real-world":[119],"feasibility,":[120],"evaluations":[122],"of":[123],"four":[124],"defenses":[125],"that":[127,139],"none":[128],"fully":[129],"prevent":[130],"RTA.":[131],"Finally,":[132],"we":[133],"propose":[134],"time-based":[136],"detection":[137],"defense":[138],"mitigates":[140],"while":[142],"preserving":[143],"utility.":[145]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-06T00:00:00"}