Prompt injection is the SQL injection of the LLM era. Researchers spent the last year demonstrating that across real enterprise deployments — not lab environments — the attack class lands consistently and with serious impact. The vector isn't always what security teams assume. The highest-severity findings don't come from breaking the model itself. They come from what the model is connected to.
Here are seven prompt injection attacks that researchers demonstrated against production systems in 2025 and 2026.
#1: Stored Prompt Injection via Document Upload
Sean Park at [un]prompted 2026 demonstrated a KYC pipeline where a passport image contained malicious instructions embedded in hidden text. The AI field extraction agent processed OCR output indiscriminately — it couldn't distinguish passport data from attacker instructions. The MCP server exposed both read and write database access. One uploaded document later: 20 other customers' PII had been read and written into the attacker's entry.
The attack scales. Park's framework auto-generated 200 semantically diverse injection variants and tested them against 13 LLM backends. The point isn't that one payload works — it's that a determined attacker will find one that does.
Full attack chain with fuzzing methodology → Prompt Injection in AI KYC Pipelines
— -
#2: System Prompt Extraction at 60% Reliability
Jason Haddix at OWASP Global AppSec USA 2025 documented system prompt extraction succeeding roughly 60% of the time across real enterprise AI assessments. In one automotive company's RAG chatbot, extraction revealed Jira and Confluence API keys hardcoded directly in the system prompt — which then enabled VPN access via session hijacking.
This is the first try fallacy problem in reverse: a single failed extraction attempt proves nothing. The correct question is hit rate across 10–15 attempts. And the downstream impact of a successful extraction depends entirely on what's been embedded in that prompt.
Full 7-phase methodology and case studies → AI Red Teaming Methodology
— -
#3: Memory Poisoning for Persistent Backdoor Access
Will Vandevanter at OWASP AppSec USA 2025 (Trail of Bits) covers the attack class that most AI security assessments skip: an indirect prompt injection payload that causes an agent to write a malicious entry into its persistent memory store.
Memory poisoning converts a one-time injection into a standing backdoor. The malicious memory persists across every future session, triggering silently on specific conditions — with no further attacker interaction. It's structurally equivalent to planting a rootkit through a document upload. Once it's in the memory store, the injection surface is gone but the access remains.
Full threat model and testing methodology → Indirect Prompt Injection: Architectural Testing Approaches
— -
#4: Cross-Service Prompt Injection With No Shared Detection
Natalie Isak and Waris Gill at [un]prompted 2026 (Microsoft) mapped a structural gap in enterprise AI security: separate AI products — copilots, assistants, API services — each run their own safety stack with no shared threat signal. An attacker who discovers an effective prompt injection against one service can spray it, with variations, across the entire portfolio. Service A's detection generates no block in Service B.
Binary Shield addresses this with a four-step fingerprinting pipeline: PII redaction, embedding generation, binary quantization, and differential privacy noise injection. The resulting compact vector correlates attack variants 36x faster than dense embeddings and crosses service boundaries without exposing user content.
Full fingerprinting architecture → AI Fingerprinting for Cross-Service Prompt Injection Detection
— -
#5: AI Meeting Notetaker Manipulation
Joe Sullivan at [un]prompted 2026 documented a prompt injection against Otter.ai: a participant speaking "ignore all prior instructions" before a recorded meeting destroyed the entire meeting summary. No technical access required. No forensic artifact left behind.
But manipulation doesn't require injection. Sullivan documented four techniques — high-signal anchor phrases, positional gaming at meeting transitions, contrastive framing, and format mirroring — that let any participant influence what an AI notetaker records as the official outcome. Combine that with OAuth scope creep across calendar, email, and contact systems, and AI notetakers represent an unmanaged attack surface inside most enterprise environments.
Full risk breakdown and enterprise controls → AI Notetaker Security Risks
— -
#6: Blind XSS Surviving Through AI Document Pipelines Into Human Review Dashboards
JHaddix's healthcare case study at OWASP AppSec involved a malicious PDF fed to an AI document pipeline. The injected JavaScript wasn't caught by the LLM layers — it survived all the way through to the human-review dashboard downstream. From there, it embedded itself in the next model training round and continued triggering callback beacons for weeks.
This is a different attack class than prompt injection against the model. It targets the web application ecosystem surrounding the AI system — the same attack surface that existed before AI was involved, now reachable through document inputs that teams assume the AI "handles."
Full 7-phase methodology → AI Red Teaming Methodology
— -
What This Means
The pattern across all seven attacks: the damage doesn't come from breaking the model's safety training. It comes from the infrastructure surrounding the model — tool permissions, system prompt contents, data pipeline trust boundaries, and downstream web applications that weren't built to receive AI-processed output.
Teams doing AI security reviews that focus exclusively on jailbreaks and guardrail bypasses are auditing the wrong layer. The critical attack surface is the one traditional AppSec already knows how to find.
— -
The Cyber Archive — deep-dive analysis of infosec conference talks. Browse the prompt injection archive → thecyberarchive.com/prompt-injection/