defense 2026

WebAgentGuard: A Reasoning-Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents

Yulin Chen 1, Tri Cao 1, Haoran Li 2, Yue Liu 1, Yibo Li 1, Yufei He 1, Le Minh Khoi 1, Yangqiu Song 2, Shuicheng Yan 1, Bryan Hooi 1

1 National University of Singapore

2 HKUST

0 citations
α

Published on arXiv

2604.12284

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Consistently outperforms strong baselines across multiple benchmarks while preserving agent utility and introducing no additional latency via parallel execution

WebAgentGuard

Novel technique introduced

Web agents powered by vision-language models (VLMs) enable autonomous interaction with web environments by perceiving and acting on both visual and textual webpage content to accomplish user-specified tasks. However, they are highly vulnerable to prompt injection attacks, where adversarial instructions embedded in HTML or rendered screenshots can manipulate agent behavior and lead to harmful outcomes such as information leakage. Existing defenses, including system prompt defenses and direct fine-tuning of agents, have shown limited effectiveness. To address this issue, we propose a defense framework in which a web agent operates in parallel with a dedicated guard agent, decoupling prompt injection detection from the agent's own reasoning. Building on this framework, we introduce WebAgentGuard, a reasoning-driven, multimodal guard model for prompt injection detection. We construct a synthetic multimodal dataset using GPT-5 spanning 164 topics and 230 visual and UI design styles, and train the model via reasoning-intensive supervised fine-tuning followed by reinforcement learning. Experiments across multiple benchmarks show that WebAgentGuard consistently outperforms strong baselines while preserving agent utility, without introducing additional latency.

Key Contributions

  • WebAgentGuard: reasoning-driven multimodal guard model for prompt injection detection in web agents
  • Synthetic multimodal dataset covering 164 topics and 230 visual/UI design styles using GPT-5
  • Parallel guard architecture that decouples detection from agent reasoning with no added latency

🛡️ Threat Analysis

Details

Domains
multimodalnlp
Model Types
vlmmultimodalllm
Threat Tags
inference_time
Applications
web agentsautonomous browsingvlm-based task automation
Read PDF arXiv

Similar Papers

defense

ARGUS: Defending Against Multimodal Indirect Prompt Injection via Steering Instruction-Following Behavior

2025 1 cit.
92%
defense

Omni-Safety under Cross-Modality Conflict: Vulnerabilities, Dynamics Mechanisms and Efficient Alignment

2026 0 cit.
92%
defense

Relationship-Aware Safety Unlearning for Multimodal LLMs

2026 0 cit.
86%
defense

Co-Evolutionary Multi-Modal Alignment via Structured Adversarial Evolution

2026 0 cit.
86%
defense

Evolving Contextual Safety in Multi-Modal Large Language Models via Inference-Time Self-Reflective Memory

2026 0 cit.
86%
defense

GuardReasoner-Omni: A Reasoning-based Multi-modal Guardrail for Text, Image, and Video

2026 0 cit.
86%
defense

Clouding the Mirror: Stealthy Prompt Injection Attacks Targeting LLM-based Phishing Detection

2026 0 cit.
85%
defense

Multi-turn Jailbreaking Attack in Multi-Modal Large Language Models

2026 1 cit.
85%