Title: What If Prompt Injection Never Left? Exploring Cross-Session Stored Prompt Injection in Agentic Systems

Abstract:

Contemporary agentic systems have evolved Large Language Models (LLMs) from assistants confined to individual sessions into stateful entities. These systems maintain and adapt a shared representation of the world across multiple interactions by leveraging memories, file systems, tools, and other enduring contextual elements. This architectural shift significantly broadens the attack surface for prompt injection. Yet, previous research has predominantly examined model-level vulnerabilities occurring within isolated sessions, largely ignoring how persistent system state across sessions alters the systemic risks inherent to agentic frameworks. Drawing inspiration from stored cross-site scripting (XSS) in web applications, we propose the concept of "cross-session stored prompt injection." In this scenario, a successful injection embeds itself within the agentic system’s state, allowing it to covertly manipulate subsequent executions long after the initial malicious interaction has concluded.

To investigate this threat systematically, we formalize the mechanics of stored prompt injection and construct a taxonomy detailing how adversarial content endures and impacts agentic systems over time. Additionally, we have created a benchmark and a sandbox toolkit designed to assess the dangers posed by stored prompt injection. These resources facilitate the quantitative measurement of attack success rates across various models, objective goals, and persistence mechanisms. Our results demonstrate that persistence elevates prompt injection from a transient, model-level issue to a durable, system-level vulnerability deeply integrated into the agent’s execution state. We aim for this research to raise wider awareness of this nascent threat and encourage the community to rigorously examine and address the systemic risks generated by persistence in agentic systems.

Source: arXiv Generated at: 2026-06-04 00:00:00 UTC