Skip to content

AI term · last reviewed 2026-07-07

Prompt injection

Also known as: Direct injection, Indirect injection

Prompt injection is an attack where untrusted text hijacks the instructions a language model follows; indirect injection, where hostile instructions live inside data the model reads, is the most dangerous form.

How it works

Prompt injection is an attack where untrusted text hijacks the instructions a language model follows, making it ignore its real task and do the attacker's bidding instead. It works because a model sees one flat stream of tokens and cannot reliably tell developer instructions from user input or from data it retrieves. Direct injection comes from the user typing hostile instructions. Indirect injection is more dangerous: the hostile instructions live inside content the model reads (a web page, an email, a retrieved document), so an innocent user triggers an attacker's payload. OWASP ranks it as LLM01, the top LLM application risk (owasp.org).

When it matters

Prompt injection matters for any application that feeds untrusted content into a model, which is nearly all of them: RAG pipelines, email summarizers, agents that browse or call tools. When the model can also act (via tool use or an MCP server), a text problem becomes a real-world incident: data exfiltration, unauthorized actions, or leaked secrets. See Red-Team an LLM and Secure an MCP Server.

Common misconceptions

  • "A better system prompt fixes it." The system prompt is just more tokens; indirect injection routinely overrides it. No prompt-level fix is complete.
  • "Injection equals [jailbreak](/glossary/jailbreak/)." A jailbreak defeats safety training; injection hijacks the instructions the app relies on. Related, not identical.
  • "[Guardrails](/glossary/guardrails/) stop it." Filters cut volume; the durable defense is architectural (least privilege, untrusted-data handling).
← All terms