Cross-Session Stored Prompt Injection in LangChain, AutoGPT, and Microsoft AutoGen
Agentic frameworks are transitioning from stateless interactions to stateful autonomy, introducing Cross-Session Stored Prompt Injection. This vulnerability allows attackers to embed malicious instructions into an agent's persistent state—including long-term episodic memory, vector databases (RAG), and tool-use logs—which are later retrieved as "trusted" context in subsequent sessions. By poisoning the internal state, attackers bypass per-session input sanitization to achieve persistent goal hijacking, unauthorized tool execution, and data exfiltration. This shift mirrors the evolution from Reflected to Stored XSS, where the attack is temporally decoupled from the injection, creating "sleeper" payloads that activate upon specific retrieval triggers.