Risk
Indirect / Cross-Source Prompt Injection (XPIA)
Description
Malicious content in external sources the agent reads at runtime (documents, web pages, tickets, retrieved knowledge) triggers unintended agent actions.
Example
A poisoned PDF in a shared document store causes the agent to exfiltrate cross-tenant data when summarizing it.
Assets Affected
Dataset / RAG
Tool
3rd-Party AI Integration
AI Agent
Mitigation
- Sanitize and validate external content
- restrict sources to allowlisted origins
- monitor for indirect injection
- treat retrieved content as untrusted.
Standards Mapping
- ISO: A.7.6
- OWASP agentic: ASI01, ASI06
- OWASP LLM: LLM01:2025
- EU AI Act: Art. 15(5)
- DASF: Model Serving 9.9, Agents-MCP Server 13.24
- AIUC-1: B001, B005