ObliInjection: Order-Oblivious Prompt Injection Attack to LLM Agents with Multi-source Data
Reachal Wang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · AI Security
Most prompt injection attacks assume the attacker controls the entire data portion of an LLM's input. In real-world multi-source scenarios -- product review summarization, AI-powered search, multi-document QA -- the attacker controls only **one segment** among many, and critically, does not know the ordering of segments in the final prompt. This talk introduces **ObliInjection**, the first **order-oblivious prompt injection attack** that succeeds regardless of segment ordering. Using an iterative token-by-token optimization algorithm with a novel **order-oblivious loss function**, ObliInjection achieves high attack success rates (ASR) across **12 LLMs** including both open and closed-source models, consistently outperforms all baselines, transfers to unseen models, and bypasses both prevention and detection-based defenses.
AI review
A genuinely practical and novel prompt injection attack that addresses the real-world multi-source setting where existing attacks fail. The order-oblivious loss function is an elegant solution to the segment ordering uncertainty problem. High ASR across 12 LLMs, effective transfer to GPT-4o, and complete bypass of all tested defenses -- both prevention and detection. This is the kind of attack research that should change how people build multi-source LLM applications.