Threat Class Reference Status: Emerging  ·  First described: Black Hat USA 2026
AI Security · Attack Taxonomy · RPE

Remote Prompt
ExecutionRPE

When an attacker runs arbitrary prompts inside your live AI session — the same way remote code execution runs arbitrary code on your machine.

Class
AI session compromise
Direct analog
Remote Code Execution
Entry vector
Untrusted content in context
Worst case
Full session takeover
MECHANISM

How data becomes a command

An AI assistant reads whatever you hand it. When untrusted content carries hidden instructions, the model can interpret that data as a command — and act on it with the assistant's own privileges. Scroll to watch the crossing.

Illustrative only. No payload, target, or technique is provided — this page describes the class, not a method of attack.


01 — DEFINITION

What Remote Prompt Execution is

Remote Prompt Execution (RPE) is a class of AI security vulnerability in which an attacker achieves execution of arbitrary prompts inside a victim's live AI assistant session — without the victim knowingly typing them.

The instruction typically arrives disguised as ordinary data: a shared document, an email, a web page the assistant browses, or the output of a tool the assistant calls. Once inside the model's context, that data is interpreted as though it were a legitimate request from the user. The assistant then acts with the identity, connectors, and permissions it was already trusted to hold.

The term entered wider use after being presented as a named attack class at Black Hat USA 2026, where researchers demonstrated a chain that escaped an assistant's sandbox to the host underneath it and produced a full session takeover triggered by a single uploaded document.


02 — THE ANALOGY

RPE is to AI assistants what RCE is to servers

The name is deliberate. For three decades, remote code execution has been the most serious thing that can happen to a machine: an outsider running code of their choosing. RPE is the same category of failure, relocated to the layer where instructions are now written in natural language.

Remote Code Execution
Remote Prompt Execution
Attacker runsArbitrary machine code
Attacker runsArbitrary natural-language prompts
Carried byA crafted request or input
Carried byA crafted document, page, or tool output
Runs withThe process's privileges
Runs withThe assistant's connectors and identity
ResultData theft, lateral movement
ResultSession takeover, action on your behalf

03 — DISTINCTION

Not the same as prompt injection

The two are often conflated. The cleaner way to hold them apart borrows again from the memory-safety world:

Prompt injection is the primitive. It is the technique — untrusted text carrying instructions into a model's context. Remote Prompt Execution is the achieved capability. It is what an attacker accomplishes when injection is chained with an escape across a trust boundary until they control the session itself.

A memory-corruption bug is not remote code execution until it is weaponized into one. In the same way, prompt injection is not RPE until it yields arbitrary prompt execution in a victim's session.


04 — DEFENSIVE POSTURE

How defenders think about it

There is no single patch, because the failure is architectural: assistants blur the line between data to be read and instructions to be followed. Sound programs treat the following as first principles, not features.

  1. Treat all retrieved content as untrusted. Documents, web pages, emails, and tool outputs are data — never instructions — no matter how authoritative they look.
  2. Separate the data plane from the instruction plane. Enforce boundaries between what the user asked and what the content says; don't let content escalate itself into commands.
  3. Grant least privilege. Scope connectors narrowly and require human confirmation before any high-impact action — sending, deleting, paying, sharing.
  4. Assume the sandbox will be escaped. Isolate execution, and monitor what the agent actually does, not merely the prompts and responses that surround it.
  5. Establish provenance. Know where content in the context came from, so trusted and attacker-supplied material are never indistinguishable.