When an attacker runs arbitrary prompts inside your live AI session — the same way remote code execution runs arbitrary code on your machine.
An AI assistant reads whatever you hand it. When untrusted content carries hidden instructions, the model can interpret that data as a command — and act on it with the assistant's own privileges. Scroll to watch the crossing.
Illustrative only. No payload, target, or technique is provided — this page describes the class, not a method of attack.
Remote Prompt Execution (RPE) is a class of AI security vulnerability in which an attacker achieves execution of arbitrary prompts inside a victim's live AI assistant session — without the victim knowingly typing them.
The instruction typically arrives disguised as ordinary data: a shared document, an email, a web page the assistant browses, or the output of a tool the assistant calls. Once inside the model's context, that data is interpreted as though it were a legitimate request from the user. The assistant then acts with the identity, connectors, and permissions it was already trusted to hold.
The term entered wider use after being presented as a named attack class at Black Hat USA 2026, where researchers demonstrated a chain that escaped an assistant's sandbox to the host underneath it and produced a full session takeover triggered by a single uploaded document.
The name is deliberate. For three decades, remote code execution has been the most serious thing that can happen to a machine: an outsider running code of their choosing. RPE is the same category of failure, relocated to the layer where instructions are now written in natural language.
The two are often conflated. The cleaner way to hold them apart borrows again from the memory-safety world:
Prompt injection is the primitive. It is the technique — untrusted text carrying instructions into a model's context. Remote Prompt Execution is the achieved capability. It is what an attacker accomplishes when injection is chained with an escape across a trust boundary until they control the session itself.
A memory-corruption bug is not remote code execution until it is weaponized into one. In the same way, prompt injection is not RPE until it yields arbitrary prompt execution in a victim's session.
There is no single patch, because the failure is architectural: assistants blur the line between data to be read and instructions to be followed. Sound programs treat the following as first principles, not features.