datarekha
Agents June 10, 2026

Prompt injection is the SQL injection of the AI era

Both attacks come from the same root cause — the system can't separate trusted instructions from untrusted data. In agents it becomes a confused-deputy problem, and a single filter won't save you.

7 min read · by datarekha · llmsecurityprompt-injectionagentsowasp

Twenty-five years ago, web apps had a foundational flaw: they built SQL queries by gluing user input into command strings, so input like '; DROP TABLE users; -- got executed as code. SQL injection topped every security list for a decade. Large language models have the exact same disease in a new body. An LLM reads your system prompt, the user’s message, and a paragraph from a random web page as one undifferentiated stream of tokens, with no hard boundary marking which is a rule and which is just data. If the data looks like an instruction, the model may obey it. That’s prompt injection, and it is the SQL injection of the AI era.

#1 on the list, and possibly unpreventable

This isn’t a fringe worry. Prompt injection is ranked LLM01 — the number-one risk — in the OWASP Top 10 for LLM Applications (2025), and OWASP is unusually candid that, because models are fundamentally stochastic, there may be no fool-proof method of prevention. The dangerous variant is indirect injection: the attack hides in content the model ingests — a web page, an email, a document, a tool result — so the malicious instruction arrives through a trusted channel without the user ever seeing it. (The mechanics and the guardrail types are covered in the prompt injection lesson.)

EchoLeak: the wake-up call

For a long time prompt injection was a lab curiosity. Then came EchoLeak. CVE-2025-32711, disclosed in June 2025, was the first real-world zero-click prompt-injection exploit in a production LLM system — Microsoft 365 Copilot — rated CVSS 9.3. An attacker could exfiltrate data with nothing more than a crafted email; the user didn’t have to click anything. Crucially, EchoLeak only worked by chaining several bypasses together — evading Microsoft’s injection classifier, sneaking a link past redaction with reference-style markdown, abusing auto-fetched images, and slipping through a content-security-policy gap. That detail is the whole lesson: each individual defense was real, and the attack still got through by stacking exploits. No single layer is enough — which is why researchers now describe indirect prompt injection as generative AI’s greatest security flaw, and why it’s increasingly observed in the wild rather than only in red-team labs.

Agents make it a confused-deputy problem

Give the model tools and the stakes jump. A successful injection no longer just produces bad text — it can take actions with the agent’s privileges, which is the classic confused-deputy attack: a trusted, high-privilege agent is tricked into acting for an attacker. The defense-quality gap is enormous. In one study, indirect injection against a GUI agent succeeded 78.6% of the time over 200 attempts with no safeguards, but adversarial-RL-hardened models drove that to roughly 1%. Defense isn’t hopeless — but it has to be built in, not bolted on.

The uncomfortable bottom line: treat every piece of model-ingested content — web pages, documents, tool outputs, retrieved chunks — as untrusted by default, the same way a careful backend treats every form field as hostile. If you’re building agents that can act in the world, the agent security lesson and the MCP lesson (where untrusted tool data enters the loop) are not optional reading. Prompt injection is the SQL injection of AI — and like SQL injection, the teams that take it seriously early are the ones that don’t make the headlines.

Skip to content