[arXiv]score: 0.31

Error-Path Injection via MCP Tool Errors Triples Prompt Injection Success Rate

June 9, 2026

VATS shows that injecting adversarial payloads into tool error messages — exploiting the implicit authority agents assign to error context — triples indirect prompt injection success rates versus standard IPI, reaching 100% compliance on GPT-5.5, Gemini 3.1 Pro, GLM-5.1, and Qwen3-Coder in controlled tests. Sandwiching instructions within error context is the single most effective structural exploit across all four models.

HOW THIS AFFECTS YOU

●

builderAny MCP-based agent pipeline that surfaces raw tool error messages to the model is vulnerable — sanitize or isolate error content before it re-enters the reasoning loop.

●

founderIf your product uses MCP tool-calling, this attack surface is live in production today and needs mitigation before shipping autonomous agent features.

●

policyThis is a concrete, reproducible attack class against frontier models that current production guardrails do not block, with direct implications for agentic deployment safety standards.

read original ↗arxiv.org

← back to feed