VERIK / V073 / 10 JUN 2026
Operating in the FogAcademic

Prompt Injection Stopped Being a Single-Session Problem

A June 2026 paper borrows the stored cross-site scripting model from web security to describe an injection that persists inside an agent's state long after the attacker's original interaction ends.

Prior research on prompt injection has treated the vulnerability as bounded by the session in which it occurs: a malicious instruction enters through a tool result, a webpage, or a document, the model acts on it, and the episode closes when the conversation does. A paper posted to arXiv on June 3, 2026, titled "What If Prompt Injection Never Left? Exploring Cross-Session Stored Prompt Injection in Agentic Systems," by Yuanbo Xie, Tianyun Liu, Yingjie Zhang, Suchen Liu, Yulin Li, Liya Su, and Tingwen Liu, argues that this framing describes a threat model agentic systems have already outgrown.

The paper's argument rests on an architectural observation: modern agentic systems are no longer session-bounded assistants. They persist and evolve shared world state across sessions through memories, filesystems, tools, and other long-lived contextual artifacts. That persistence, built to make agents more useful over time, is also what expands the attack surface of prompt injection into territory prior research did not model. The paper states the gap plainly: prior work "largely focused on model-level threats within a single session, overlooking how cross-session persistent system state fundamentally changes the system-level risk of agentic systems."

The Stored XSS Analogy

To name the threat, the authors borrow directly from web application security. Stored cross-site scripting, a well-understood category of web vulnerability, occurs when malicious script is saved on a server and later served to other users without their having interacted with the original attacker. The authors introduce the analogous concept for agentic systems: cross-session stored prompt injection, in which a successful injection persists within agentic system state and silently influences future executions long after the original attacker interaction has ended.

The analogy is doing real conceptual work here. Reflected prompt injection, like reflected XSS, requires the attacker's payload to be present in the immediate exchange. Stored prompt injection, like stored XSS, requires only that the payload was written once, successfully, into whatever the agent treats as durable state. Every subsequent session that reads that state inherits the exposure, regardless of whether that session has any relationship to the original attack.

Formalizing an Informal Threat

Much of the paper's contribution is definitional rather than purely empirical. The authors formalize stored prompt injection as a distinct threat category and develop a taxonomy describing how adversarial content persists and affects agentic systems across sessions. They then build a benchmark and sandbox toolkit specifically designed to evaluate this class of risk, enabling quantitative comparison of attack success across different models, different attacker goals, and different persistence channels, rather than relying on the single-session benchmarks the field has used to date.

The paper's central claim, stated in its own words, is that "persistence transforms prompt injection from an ephemeral model-level threat into a long-lived system-level vulnerability embedded within agent execution state." The distinction between model-level and system-level matters for where a defense would need to sit. A model-level defense operates on a single inference call. A system-level vulnerability embedded in execution state requires a defense that can inspect, and potentially revoke, content the agent wrote to its own persistence layer at some earlier, disconnected point in time.

Where This Sits Relative to Memory Poisoning

This threat model overlaps conceptually with memory poisoning research examining adversarial writes to agent memory, but the framing here is broader: the paper's persistence channels include memories, filesystems, and tools, not memory alone. A stored injection surviving in a filesystem artifact an agent reads on every subsequent invocation, for instance, does not require the memory subsystem specifically to be compromised. Any long-lived contextual artifact the agent trusts by default is a candidate channel.

This distinction matters for the Five Categories advisory issued by CISA, NSA, and allied agencies, which frames Structural risk around the interconnected topology between agents, tools, and the outside world, noting that this interconnection "increases the attack surface and complexity of the system." Cross-session stored prompt injection is a concrete instance of that abstract structural concern: the attack surface is not just the tools an agent calls in a given session, but every artifact from every prior session that the agent's architecture treats as trustworthy by default.

Extending the Fog

The recurring argument in this arc is that visibility into an agent's current output does not establish verifiability of the process that produced it. This paper adds a temporal dimension to that argument: even a fully instrumented, carefully monitored single session cannot establish that the agent's behavior in that session is uninfluenced by content injected in a prior, unmonitored one. An audit scoped to a single session, however thorough, is scoped to the wrong unit of analysis if the vulnerability the paper describes is real and unaddressed. The paper's own framing, that this transformation has already happened and prior research simply had not modeled it, suggests the gap is not hypothetical but already embedded in systems currently in production.

Open Questions

The loop closed around an oversight function that was never instrumented.