attack 2026

Conjunctive Prompt Attacks in Multi-Agent LLM Systems

Nokimul Hasan Arif , Qian Lou , Mengxin Zheng

University of Central Florida

0 citations
α

Published on arXiv

2604.16543

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Routing-aware optimization substantially increases attack success over non-optimized baselines while keeping false activations low across all topologies

Conjunctive Prompt Attacks

Novel technique introduced

Most LLM safety work studies single-agent models, but many real applications rely on multiple interacting agents. In these systems, prompt segmentation and inter-agent routing create attack surfaces that single-agent evaluations miss. We study \emph{conjunctive prompt attacks}, where a trigger key in the user query and a hidden adversarial template in one compromised remote agent each appear benign alone but activate harmful behavior when routing brings them together. We consider an attacker who changes neither model weights nor the client agent and instead controls only trigger placement and template insertion. Across star, chain, and DAG topologies, routing-aware optimization substantially increases attack success over non-optimized baselines while keeping false activations low. Existing defenses, including PromptGuard, Llama-Guard variants, and system-level controls such as tool restrictions, do not reliably stop the attack because no single component appears malicious in isolation. These results expose a structural vulnerability in agentic LLM pipelines and motivate defenses that reason over routing and cross-agent composition. Code is available at https://github.com/UCF-ML-Research/ConjunctiveAgents.

Key Contributions

  • Introduces conjunctive prompt attacks where trigger and template appear benign in isolation but activate harmful behavior when routing brings them together
  • Topology-aware attack optimization across star, chain, and DAG agent communication structures
  • Demonstrates that existing defenses (PromptGuard, Llama-Guard, tool restrictions) fail because no single component appears malicious

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Applications
multi-agent llm systemsagentic ai assistantstask decomposition pipelines
Read PDF arXiv Code

Similar Papers

defense

A Safety and Security Framework for Real-World Agentic Systems

2025 2 cit.
88%
benchmark

Penetration Testing of Agentic AI: A Comparative Security Analysis Across Models and Frameworks

2025 0 cit.
82%
survey

Agentic AI as a Cybersecurity Attack Surface: Threats, Exploits, and Defenses in Runtime Supply Chains

2026 0 cit.
82%
defense

SafeHarness: Lifecycle-Integrated Security Architecture for LLM-based Agent Deployment

2026 0 cit.
82%
benchmark

From Assistant to Double Agent: Formalizing and Benchmarking Attacks on OpenClaw for Personalized Local AI Agent

2026 0 cit.
82%
defense

STARS: Skill-Triggered Audit for Request-Conditioned Invocation Safety in Agent Systems

2026 0 cit.
82%
survey

Systems Security Foundations for Agentic Computing

2025 3 cit.
82%
benchmark

Evaluating Privilege Usage of Agents on Real-World Tools

2026 0 cit.
82%