arXiv: What If Prompt Injection Never Left? Exploring Cross-Session Stored Prompt Injection in Agentic Systems

This publication, a research paper from arXiv, identifies a new vulnerability in AI agentic systems called cross-session stored prompt injection. Unlike traditional prompt injection attacks that occur within a single interaction, this attack embeds malicious instructions into a system’s long-term memory or external storage, such as databases or vector stores. These instructions then persist across multiple user sessions, effectively poisoning the AI agent’s behavior over time without the user’s knowledge. The paper demonstrates that current safety guardrails, which typically check inputs per session, fail to detect or block this stored threat.

This finding directly affects any organization deploying AI agents that rely on persistent memory, retrieval-augmented generation, or external knowledge bases. Sectors such as financial services, healthcare, legal tech, and customer service automation are particularly exposed, as these systems often store sensitive user data and execute actions based on recalled information. Compliance teams must recognize that existing AI risk assessments and security controls may be insufficient to address this cross-session attack vector.

Compliance teams should immediately review their AI system architectures to identify any components that store or retrieve data across sessions. Update your AI risk register to include this vulnerability as a new threat category. Work with engineering to implement session-level isolation for stored data, enforce strict input validation on all data written to memory, and conduct penetration testing specifically targeting persistent storage. Finally, ensure that your incident response plan covers scenarios where stored prompts have been compromised, and consider adding this to your next regulatory filing or internal audit scope.