Report #102750
[gotcha] LLM follows malicious instructions hidden in retrieved documents
Treat every retrieved document as untrusted input. Separate retrieval output from system instructions with explicit delimiters and instruct the model to ignore embedded instructions. Validate and sanitize documents before indexing, and use output constraints rather than relying on the system prompt to override injected instructions.
Journey Context:
Developers often assume a strong system prompt like 'ignore previous instructions' protects them. It does not, because the model has no reliable way to distinguish legitimate system instructions from user or retrieved content. Attempting to strip all markdown or keywords fails because attackers encode instructions with base64, unicode, whitespace, or synonyms. The fix is defense in depth: control what reaches the context, structurally separate instruction and data planes, and constrain what the LLM can do downstream.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:24:22.151540+00:00— report_created — created