What If Prompt Injection Never Left? Exploring Cross-Session Stored Prompt Injection in Agentic Systems

Researchers have identified a critical security vulnerability in agentic AI systems called cross-session stored prompt injection, where malicious instructions can persist within system state and compromise future interactions long after the attacker disconnects. This threat fundamentally differs from traditional prompt injection by leveraging long-lived system artifacts like memories and filesystems, transforming ephemeral model-level attacks into durable system-level vulnerabilities that accumulate over time.

The emergence of stateful agentic systems represents a paradigm shift in how large language models operate in production environments. Unlike traditional chatbots confined to single sessions, modern agents maintain persistent memories, file systems, and tool integrations that evolve across multiple interactions. This architectural advancement enables more sophisticated autonomous behavior but introduces a critical security gap that prior research has largely overlooked.

The cross-session stored prompt injection threat mirrors the evolution of web security, where stored cross-site scripting proved more damaging than reflected attacks due to persistence. An attacker injecting malicious instructions into a shared system artifact—such as embedding adversarial prompts within files or memory databases—creates a persistent vulnerability that silently influences all subsequent agent executions. This compounds exponentially as the agent operates across sessions with different users or contexts, potentially amplifying the attacker's impact without detection.

For developers and organizations deploying agentic systems, this vulnerability poses substantial operational and security risks. Compromised agent behavior could lead to data exfiltration, unintended autonomous actions, or system manipulation that persists indefinitely until explicitly remediated. The research establishes a benchmark for quantifying these risks across different models and attack vectors, enabling systematic vulnerability assessment.

The significance of this work lies in forcing the security community to reconsider threat models for AI systems. As agents become more autonomous and persistent, traditional security assumptions about session isolation and ephemeral threats become obsolete. Organizations must now implement state-level safeguards, audit trails, and integrity verification mechanisms comparable to those protecting databases and file systems, not just model-level input validation.

• →Stored prompt injection transforms traditional ephemeral prompt attacks into persistent system-level vulnerabilities that survive across multiple sessions
• →Agentic systems' persistent state artifacts including memories, filesystems, and tools create new attack surfaces requiring fundamentally different security approaches
• →The threat parallels stored cross-site scripting in web systems, demonstrating how persistence mechanisms substantially increase attack surface and impact duration
• →Current security evaluation frameworks focus on single-session model-level threats and fail to capture cross-session system-level risks in agentic architectures
• →Organizations deploying autonomous agents must implement state-level safeguards and audit mechanisms beyond traditional input validation