EchoLeak (CVE-2025-32711, disclosed by Aim Security in June 2025 against Microsoft 365 Copilot) is the canonical example of a class of attacks rather than a single vulnerability: cross-agent prompt injection in which a malicious payload travels through ordinary content channels (an email, a shared document, a calendar invite, a tool response) into one or more agents' context windows, where it manipulates the agents into actions the deploying enterprise did not authorise, with no user interaction required. The attack class is structurally inherent to any architecture in which an LLM-based agent ingests untrusted content and has tool surfaces capable of exfiltration or action; closing the class requires architectural separation between content-ingest and tool-execution privileges, not point-fixes against specific exploit chains. Enterprises in 2026 operating multiple agents that share context, share memory, or hand off tasks to each other are structurally exposed to the EchoLeak class until the architectural separation is implemented.

EchoLeak / cross-agent prompt-injection class analysis. 60-day review cadence given the active research front. Watches: (1) new CVEs in the cross-agent prompt-injection class (multiple research groups are actively probing major agent platforms; expect 2-4 additional public CVEs in 2026), (2) vendor-side architectural responses (Microsoft's post-EchoLeak hardening, Anthropic's Managed Agents context-isolation primitives, OpenAI's Operator sandboxing), (3) regulator response under EU AI Act Article 15 (cybersecurity provisions) which is likely to formalise the cross-agent prompt-injection class as a foreseeable risk by Q4 2026.