ATR-2026-00004criticalPrompt Injectionexperimental

System Prompt Override Attempt

Detects attempts to override, replace, or redefine the agent's system prompt. Attackers craft inputs that mimic system-level instructions to hijack the agent's foundational behavior. Detection covers: explicit system prompt replacement/update statements, model-specific special tokens (ChatML, Llama, Mistral, Gemma), JSON role injection, YAML-style system directives, markdown header system sections, system prompt invalidation claims, fake admin/override tags, XML-style system blocks, instruction replacement without delimiters, configuration object injection, and multi-format delimiter abuse. This is critical-severity as successful exploitation grants full control over agent behavior.

Severity

critical

Response Actions

block inputalertsnapshotkill agent

References

CVE

CVE-2024-5184 CVE-2025-32711

OWASP Agentic

ASI01:2026 - Agent Goal HijackASI06:2026 - Memory and Context Poisoning

OWASP LLM

LLM01:2025 - Prompt Injection

MITRE ATLAS

AML.T0051 - LLM Prompt InjectionAML.T0051.000 - Direct

View full YAML on GitHub →

More Prompt Injection Rules

ATR-2026-00001highDirect Prompt Injection via User Input ATR-2026-00002highIndirect Prompt Injection via External Content ATR-2026-00003highJailbreak Attempt Detection ATR-2026-00005mediumMulti-Turn Prompt Injection ATR-2026-00080highEncoding-Based Prompt Injection Evasion