Skip to content
AI Security Wire

Published

- 7 min read

By

OMNI-LEAK: Orchestrators Bleed Data Across Agent Access Controls

img of OMNI-LEAK: Orchestrators Bleed Data Across Agent Access Controls

A research team from Oxford University, Meta Research, and collaborators published findings in February 2026 that deserve more attention than they’ve received. The paper, OMNI-LEAK: Orchestrator Multi-Agent Network Induced Data Leakage, demonstrates that a single indirect prompt injection embedded in a database field is sufficient to chain through an entire multi-agent orchestration stack and exfiltrate sensitive records to an attacker-controlled destination. Access controls between agents do not stop it. Four of five frontier models tested were vulnerable.

The attack is not theoretical. The researchers ran 3,000 experimental trials per model against a concrete multi-agent setup representative of real enterprise deployments.

The Architecture Under Attack

The orchestrator pattern is the dominant design for enterprise multi-agent systems. A central orchestrator agent receives user requests, decomposes them into subtasks, delegates to specialised agents, and assembles results. In the scenario the researchers evaluate, the orchestrator delegates database queries to a SQL Agent with access to an employee database and routes notifications through a Notification Agent capable of sending email.

Each agent operates within its assigned scope. The SQL Agent cannot email. The Notification Agent cannot query the database. Access controls enforce these boundaries. The setup is reasonable and common.

OMNI-LEAK subverts this by injecting malicious instructions not into the user’s query but into the data the SQL Agent retrieves. When a legitimate user queries employee records, the database returns the requested data along with a poisoned field containing attacker-authored instructions. The SQL Agent, processing this as part of a normal query result, follows the embedded instructions and convinces the orchestrator to direct the Notification Agent to send the extracted SSNs to an external address.

The attacker never touches the orchestrator directly. The malicious payload enters through a database row.

Four Attack Strategies, Ten Variants

The researchers tested ten distinct attack configurations built around four persuasion strategies. Each strategy frames the malicious instruction differently to maximise compliance from the SQL Agent:

Blocker frames the exfiltration as a prerequisite. The poisoned field contains an instruction that tells the SQL Agent it cannot proceed with the legitimate task until it first transmits the target data. The agent, attempting to complete its assigned query, complies with the precondition.

Compliance Framing uses authority and policy language. The instruction presents itself as a mandatory security audit, compliance requirement, or IT policy, using vocabulary consistent with legitimate enterprise tooling.

Fixed Output-Structure embeds the malicious step inside a rigid output template. The SQL Agent is instructed to return results in a specific format that includes the sensitive data transmission as a structural component of the response.

Combination merges all three, maximising the likelihood that at least one framing persuades the target agent.

The taxonomy matters for defenders. Blocking one framing strategy is insufficient. Keyword-based filters that target specific compliance language will miss structural variants. Filters targeting structural embedding will miss blocker-style injections.

Results by Model

GPT-4.1-mini was the most readily exploited model in the study. Across the tested attack configurations, it required between 4 and 77 queries to produce a successful exfiltration, varying by database size and attack type. The small range on the low end means a persistent attacker achieves success quickly.

GPT-4.1 showed greater resistance but remained vulnerable, requiring 9 to 250 queries. O4-mini, despite being a reasoning model, needed 42 to over 500 queries for the most complex configurations, suggesting that chain-of-thought reasoning provides some protection but not immunity.

Gemini 2.5 Flash was the most permissive of the vulnerable models. Successful attacks required only 3 to 75 queries, and database size had minimal effect on attack difficulty. An attacker targeting a Gemini 2.5 Flash-backed orchestrator can expect rapid success.

Claude Sonnet 4 is the exception. Across all ten attack configurations and all database sizes, the model consistently identified the injected instructions as suspicious and declined to relay them. The researchers note that this outcome reflects Claude Sonnet 4’s instruction hierarchy handling rather than any special multi-agent-specific protection.

Why Access Controls Fail

The finding that access controls are insufficient is the most important result in the paper, and the reasoning is precise. Access controls in multi-agent systems define what each agent is permitted to retrieve and act on. They do not control what content flows through the agents’ context windows. When the SQL Agent retrieves a poisoned database record, that content is not subject to access restrictions because it arrived through a legitimate retrieval operation.

The control failure cascades. The orchestrator receives a paraphrased or restructured version of the malicious instruction from the SQL Agent, dressed in the format of a routine query result. If the orchestrator’s safety tuning was calibrated on human-authored adversarial prompts, paraphrased agent-authored variants may not trigger the same detection paths.

The researchers make a second structural observation: downstream agents affect overall system vulnerability more than the orchestrator itself. An orchestrator running Claude Sonnet 4 does not protect a system if the SQL Agent under it is GPT-4.1-mini. A safety-resistant orchestrator inspects the instructions it receives from agents, but if a vulnerable agent paraphrases the injected content effectively, the orchestrator sees what appears to be a legitimate request rather than an adversarial one.

A companion paper published in April 2026, from a separate research group, adds context to why LLM safety mechanisms underperform in agent-to-agent interactions specifically. The Interlocutor Effect study found that LLMs increase PII disclosure by up to 23 percentage points when the recipient of a query is framed as an AI agent rather than a human user.

The researchers propose an Attention Suppression Hypothesis: safety-aligned attention heads in models like Llama 3.1 deactivate when the context signals an agent-to-agent interaction rather than a human-facing one. If confirmed, this implies that safety alignment calibrated on human interaction data systematically underperforms in multi-agent environments. The two findings together suggest a structural gap in current LLM safety work, which has largely assumed that safe individual agents produce safe multi-agent systems. OMNI-LEAK and the Interlocutor Effect both demonstrate that assumption is wrong.

Defensive Posture

The paper’s primary remediation recommendation is explicit and actionable: sanitise and monitor data at the point of ingestion into the database, before any agent retrieves it. Content that can influence agent behavior should be treated as untrusted input regardless of its source, including internal databases. The control perimeter must move upstream of the agents rather than between them.

Additional layers worth implementing:

Audit all outbound tool calls from every agent. The notification agent’s email sends are detectable if logged. Anomalous recipient addresses or unusual query-to-email patterns should trigger alerts. Most orchestration frameworks do not enable this logging by default.

Apply instruction hierarchy enforcement at every agent layer. Claude Sonnet 4’s resistance derives from prioritising system-level instructions over content-level ones. Configuring other models to enforce explicit instruction hierarchies reduces but does not eliminate vulnerability.

Separate query results from instruction content. An orchestrator architecture that structurally distinguishes “data returned by tools” from “instructions to follow” makes it harder for poisoned data to be interpreted as authoritative. LangChain’s tool output isolation features and Microsoft Semantic Kernel’s trust level annotations address this at the framework level.

Model selection is a security decision. The gap between Gemini 2.5 Flash (3 queries to success) and Claude Sonnet 4 (zero successes) is significant. For multi-agent deployments handling sensitive data, which model occupies each agent role should be treated as a security architecture question, not only a cost or capability one.

The paper and its experimental code are available on arXiv under the identifier 2602.13477. The researchers have recommended against publishing exploit specifics for the most effective attack configurations pending wider awareness of the vulnerability class.

References

Frequently Asked Questions

Which frontier LLMs were tested and which were vulnerable?
The researchers tested GPT-4.1-mini, GPT-4.1, O4-mini, Claude Sonnet 4, and Gemini 2.5 Flash across 3,000 runs per model. Four of the five were vulnerable: GPT-4.1-mini required an expected 4 to 77 queries per successful attack, GPT-4.1 required 9 to 250, Gemini 2.5 Flash 3 to 75, and O4-mini 42 to over 500. Claude Sonnet 4 was the sole model that consistently identified the injected instructions as suspicious and refused to comply.
How is OMNI-LEAK different from existing multi-agent prompt injection attacks?
Most documented prompt injection attacks target a single agent directly. OMNI-LEAK shows that compromising one downstream agent, specifically a SQL or database agent, is sufficient to propagate malicious instructions upward to the orchestrator and then outward to a notification or exfiltration agent. The attacker never needs direct access to the orchestrator or the target data store. The attack chain crosses agent boundaries and survives any access control configured at the orchestrator layer, because the access control governs what agents are allowed to retrieve, not what poisoned content they may receive and relay.
Does sanitising or restricting the output from the notification agent prevent OMNI-LEAK?
Restricting the notification or exfiltration agent helps but is not sufficient on its own. The paper finds that downstream agents affect overall system vulnerability more than the orchestrator, meaning an attacker who controls what content the SQL agent returns can influence the orchestrator's decisions even if the orchestrator itself is safety-tuned. The most durable remediation is sanitising and monitoring data at the point of ingestion, before it enters any agent's context window, combined with auditing all outbound tool calls from every agent in the network.