Agent Data Injection: The Bug Under Every AI Agent
Seoul National / UIUC / Largosoft research shows web and coding agents get steered by planted content in the pages, comments, and reviews they consume. Fix the trust boundary, not the model.
If you run an AI agent that reads untrusted content and then takes actions — a coding assistant applying a maintainer’s fix from a GitHub thread, a shopping agent summarizing product reviews before buying, a browser-driving agent that reads a webpage before clicking — the Agent Data Injection paper posted to arXiv on 2026-07-06 by Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft is the threat model you were quietly pretending you didn’t have. The Hacker News wrote it up on 2026-07-17; the paper is worth reading in full.
The short version: nobody had to jailbreak anything. Nobody had to get the agent to ignore its safety training. A single planted product review can make a shopping agent click “Buy Now” instead of summarizing. A single forged comment on a GitHub issue can make a coding agent run an attacker’s command as if a maintainer had asked for it. The agent finishes the task the user asked for. It just quietly picks up new facts along the way.
What changed
Prompt injection isn’t new. What’s new is the framing and the evidence.
Woohyuk Choi and Prof. Byoungyoung Lee’s group tested the attack against production agents: Claude for Chrome, Google Antigravity, and Nanobrowser on the web-agent side; Claude Code, OpenAI Codex, and Google Gemini CLI on the coding-assistant side. Every one of them fell to variants of the same technique they call probabilistic delimiter injection — planted text formatted like the structural markers the agent’s context uses to separate trusted instructions from untrusted data. The agent parses the boundary wrong, promotes the planted content to instruction level, and continues.
Three defenses were tested. This is the useful part of the paper:
- Randomized, unguessable element IDs. Web-agent attack success rate fell from ~49% to ~29%. That is a mitigation, not a fix.
- Data provenance tracking — labeling every token by where it came from and forbidding untrusted content from steering the agent. Killed the attacks in the lab. Broke normal agent operation in the same run.
- Punctuation stripping. Same story — reduced the attack, damaged legitimate behavior enough that it wasn’t shippable.
None of the three is a paste-in-place patch. Per the paper, Anthropic, Google, and OpenAI acknowledged the disclosure; Nanobrowser had not responded at time of writing.
What to actually do
If you run agents in production, or you’re piloting them, or you’re evaluating vendors this quarter:
- Assume any agent that reads untrusted content is compromised on that channel. The threat model isn’t “someone jailbreaks my agent” anymore. It’s “someone plants a review, a comment, a support-ticket reply, a scraped forum post, and my agent believes it.” That is the working assumption from today forward. Every hard boundary — what the agent can spend money on, what it can execute, what it can commit — belongs on the outside of the agent, in code you control, not inside the model’s context.
- Cap the blast radius. An agent that can read arbitrary URLs and execute shell commands in the same session is one planted comment away from executing whatever a stranger typed on the internet. Separate the read-untrusted-content step from the execute-anything step with a human confirmation, a sandbox, or a policy engine. If your architecture doesn’t allow that separation, the architecture is the vulnerability.
- Treat agent output as attacker-controlled when it consumed attacker-controlled input. Anything an agent produces after summarizing a webpage, reading a GitHub thread, or ingesting a scraped dataset is downstream of an untrusted parser. Don’t hand it to another automation without validation. Don’t hand it to another agent without validation. Don’t hand it to a shell.
- Read the vendors’ latest tool-use and agent-safety guidance and match it against your integration. Anthropic, OpenAI, and Google have all published guidance for tool-using agents that touches on untrusted-content boundaries; some of it postdates the ADI paper, some doesn’t. Read the dates before you trust the recommendation.
- If you were already sandboxing coding agents, keep going. Running Claude Code, Codex, or Gemini CLI inside a per-project container with no host credentials mounted was the right posture before this paper and it is the right posture after. The paper is not a reason to stop using coding agents. It’s a reason not to give them credentials and shell access on your daily-driver box.
Priority call
This ranks behind actively exploited vendor CVEs on the KEV catalog — CISA’s Fortinet FortiSandbox additions and SharePoint CVE-2026-58644 are still the immediate patch queue this week. ADI is a design-level bug across an entire product category, not a patch you apply and forget.
It ranks ahead of most vendor-advisory noise for anyone whose stack includes agents in production. If you’re at a company that has been shipping agentic features on top of one of the tested tools — and given the list, that’s most companies — this is a threat-model review, not a “monitor the situation” item. Bring it up in your next architecture review. Write down what your agent trusts and why. If the answer is “the model’s safety training,” rewrite it.
For everyone else — the ADI class is going to keep showing up. The pattern is the load-bearing part. The specific vendors will rotate.
Sourcing
- Paper: Choi et al., “Agent Data Injection Attack” (arXiv:2607.05120) — Seoul National University / UIUC / Largosoft, posted 2026-07-06
- The Hacker News: New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands — 2026-07-17
- Related coverage on the operator-side version of the same problem: Trend Micro on Gemini CLI abused as a hacking agent
Found this useful? Share it.


