Prompt Injection Stopped Being a Single-Session Problem
A June 2026 paper borrows the stored cross-site scripting model from web security to describe an injection that persists inside an agent's state long after the attacker's original interaction ends.
Prior research on prompt injection has treated the vulnerability as bounded by the session in which it occurs: a malicious instruction enters through a tool result, a webpage, or a document, the model acts on it, and the episode closes when the conversation does. A paper posted to arXiv on June 3, 2026, titled "What If Prompt Injection Never Left? Exploring Cross-Session Stored Prompt Injection in Agentic Systems," by Yuanbo Xie, Tianyun Liu, Yingjie Zhang, Suchen Liu, Yulin Li, Liya Su, and Tingwen Liu, argues that this framing describes a threat model agentic systems have already outgrown.
The paper's argument rests on an architectural observation: modern agentic systems are no longer session-bounded assistants. They persist and evolve shared world state across sessions through memories, filesystems, tools, and other long-lived contextual artifacts. That persistence, built to make agents more useful over time, is also what expands the attack surface of prompt injection into territory prior research did not model. The paper states the gap plainly: prior work "largely focused on model-level threats within a single session, overlooking how cross-session persistent system state fundamentally changes the system-level risk of agentic systems."
The Stored XSS Analogy
To name the threat, the authors borrow directly from web application security. Stored cross-site scripting, a well-understood category of web vulnerability, occurs when malicious script is saved on a server and later served to other users without their having interacted with the original attacker. The authors introduce the analogous concept for agentic systems: cross-session stored prompt injection, in which a successful injection persists within agentic system state and silently influences future executions long after the original attacker interaction has ended.
The analogy is doing real conceptual work here. Reflected prompt injection, like reflected XSS, requires the attacker's payload to be present in the immediate exchange. Stored prompt injection, like stored XSS, requires only that the payload was written once, successfully, into whatever the agent treats as durable state. Every subsequent session that reads that state inherits the exposure, regardless of whether that session has any relationship to the original attack.
Formalizing an Informal Threat
Much of the paper's contribution is definitional rather than purely empirical. The authors formalize stored prompt injection as a distinct threat category and develop a taxonomy describing how adversarial content persists and affects agentic systems across sessions. They then build a benchmark and sandbox toolkit specifically designed to evaluate this class of risk, enabling quantitative comparison of attack success across different models, different attacker goals, and different persistence channels, rather than relying on the single-session benchmarks the field has used to date.
The paper's central claim, stated in its own words, is that "persistence transforms prompt injection from an ephemeral model-level threat into a long-lived system-level vulnerability embedded within agent execution state." The distinction between model-level and system-level matters for where a defense would need to sit. A model-level defense operates on a single inference call. A system-level vulnerability embedded in execution state requires a defense that can inspect, and potentially revoke, content the agent wrote to its own persistence layer at some earlier, disconnected point in time.
Where This Sits Relative to Memory Poisoning
This threat model overlaps conceptually with memory poisoning research examining adversarial writes to agent memory, but the framing here is broader: the paper's persistence channels include memories, filesystems, and tools, not memory alone. A stored injection surviving in a filesystem artifact an agent reads on every subsequent invocation, for instance, does not require the memory subsystem specifically to be compromised. Any long-lived contextual artifact the agent trusts by default is a candidate channel.
This distinction matters for the Five Categories advisory issued by CISA, NSA, and allied agencies, which frames Structural risk around the interconnected topology between agents, tools, and the outside world, noting that this interconnection "increases the attack surface and complexity of the system." Cross-session stored prompt injection is a concrete instance of that abstract structural concern: the attack surface is not just the tools an agent calls in a given session, but every artifact from every prior session that the agent's architecture treats as trustworthy by default.
Extending the Fog
The recurring argument in this arc is that visibility into an agent's current output does not establish verifiability of the process that produced it. This paper adds a temporal dimension to that argument: even a fully instrumented, carefully monitored single session cannot establish that the agent's behavior in that session is uninfluenced by content injected in a prior, unmonitored one. An audit scoped to a single session, however thorough, is scoped to the wrong unit of analysis if the vulnerability the paper describes is real and unaddressed. The paper's own framing, that this transformation has already happened and prior research simply had not modeled it, suggests the gap is not hypothetical but already embedded in systems currently in production.
Open Questions
- What would a session-scoped audit need to check to rule out cross-session stored prompt injection, given that the injected content may originate from a session outside the audit's boundary entirely?
- How does a supervisor distinguish content in an agent's persistent state that reflects legitimate accumulated context from content that reflects a stored injection from a prior session?
- At what point does treating memories, filesystems, and tool outputs as uniformly trustworthy become an indefensible default, given that each is a candidate persistence channel under this taxonomy?
- What standard applies when an incident traces back to a stored injection from a session that predates the current operator's monitoring window entirely?
- Does the benchmark and sandbox toolkit generalize across agent frameworks in production, or does it characterize risk only within the specific architectures it was built to test?
- Who is responsible for retroactively auditing an agent's existing persistent state for stored injections once the threat category itself becomes known, and how far back does that obligation extend?
The loop closed around an oversight function that was never instrumented.