Cross-agent prompt injection
Also known as: agent-to-agent injection, multi-agent prompt injection
An attack class in which adversarial instructions are placed into the context of one AI agent and then propagate to another AI agent through inter-agent communication, retrieval, shared memory, or tool-call return values. Unlike single-agent prompt injection, the attack vector exploits the trust path between agents — content one agent ingests can become instruction another agent acts on, especially when the second agent has higher action authority than the first.
Cross-agent prompt injection is the dominant 2026 enterprise threat that single-agent OWASP frameworks under-cover. Detection is structurally harder than single-agent injection because the bad payload often passes through a content-ingest path that is correctly permissioned for content but is not designed to police instructions. The defensive primitives — content-ingest vs tool-execution privilege separation, broker-mediated message routing, provenance tagging on retrieved context — are at the architecture layer, not at the model layer.