OMNI-LEAK: Orchestrator Multi-Agent Network Induced Data Leakage
Akshat Naik, Jay Culligan, Yarin Gal, Philip Torr, Rahaf Aljundi, Alasdair Paren, Adel Bibi
TL;DR
This paper reveals a novel security vulnerability in multi-agent LLM systems, demonstrating how an attacker can leak sensitive data through indirect prompt injections, highlighting the need for improved safety measures.
Contribution
It introduces OMNI-LEAK, a new attack vector for multi-agent systems, and provides a red-team analysis showing vulnerabilities in current models and architectures.
Findings
Frontier models are vulnerable to OMNI-LEAK attacks.
Both reasoning and non-reasoning models can be compromised.
Attacks succeed even without insider knowledge.
Abstract
As Large Language Model (LLM) agents become more capable, their coordinated use in the form of multi-agent systems is anticipated to emerge as a practical paradigm. Prior work has examined the safety and misuse risks associated with agents. However, much of this has focused on the single-agent case and/or setups missing basic engineering safeguards such as access control, revealing a scarcity of threat modeling in multi-agent systems. We investigate the security vulnerabilities of a popular multi-agent pattern known as the orchestrator setup, in which a central agent decomposes and delegates tasks to specialized agents. Through red-teaming a concrete setup representative of a likely future use case, we demonstrate a novel attack vector, OMNI-LEAK, that compromises several agents to leak sensitive data through a single indirect prompt injection, even in the presence of data access…
Peer Reviews
Decision·ICLR 2026 Conference Desk Rejected Submission
The topic is important and timely. To my knowledge, studying of the coordinated multiple LLM agent setup for data leakage with prompt injection attacks, is new. Paper is clearly written and has good illustration of the problem and attack executions. In the specific benchmark, different aspects (target models, database sizes, attack categories and level of information accessed) are evaluated by measuring the statistics of query accuracy and successful attacks, given some interesting findings wher
Although in high-level the study setup and benchmark is well-defined, there are some limitations. The main weaknesses are related to the lack of detailed analysis of the models, decreasing the significance and quality of the contributions. Now, the concluding remarks are quite speculative, and the reader is left with the question of why certain models are more or less vulnerable. Is it the fine-tuning or some other aspect of the model or training data effecting the results. From these perspectiv
1. The paper introduces a new attack vector, OMNI-LEAK, and addresses the gap in research on multi-agent system vulnerabilities, which is a critical area for ensuring the safety of modern AI applications. 2. The authors provide comprehensive experiments across different models, databases, and attack categories, offering a detailed analysis of model susceptibility to OMNI-LEAK. 3. The study uses practical examples, such as employee database management, to demonstrate the vulnerability of multi-
1. The beginning of Chapter 4 introduces the experimental setup, but there is no clear justification for why this particular setup was chosen. The authors should provide a more robust explanation of the rationale behind the design of the system. This could be done through theoretical reasoning or supported by practical insights, such as findings from similar studies or real-world surveys. Without this, the setup appears arbitrary and weakens the foundation of the paper. 2. While terms such as "
S1. The writing is clear and easy to follow. S2. Currently, there is limited research on the security of multi-agent LLM systems, and the authors are trying to contribute to a promising emerging direction.
W1. Although the paper claims to propose a novel data leakage attack that compromises multiple agents, the method just employs conventional hidden prompt injection attacks to manipulate the SQL agent for unauthorized data access. I do not believe this approach represents a significant advancement over existing work. It is unclear to me what new defensive challenges are introduced by the attack proposed in this paper. It appears that existing defenses against indirect prompt injection attacks [a]
1. This paper is closely integrated with the industry, employing a comprehensive orchestrator framework. Addressing multi-agent data leakage is of broad relevance to the community. 2. The details of OMNI-LEAK prompt injection are described very clearly and are easy to understand. 3. The verizon that even if each agent is secure individually, the combination may still lead to emergent vulnerabilities, is of great insight. 4. The article provides numerous detailed steps for reproduction, making it
1. The paper leans towards engineering, with insufficient attack formulations presented. The procedures lack formulaic standardization. 2. The paper lacks analysis and comparison with other attack methods, such as direct prompt injection and jailbreak attacks. This would better highlight OMNI-LEAK's advantages, enabling deeper analysis—whether in terms of robustness or the expected number of queries required for a successful attack. 3. The insight that even if each agent is individually secure,
The paper is well-written, clear and addresses an important vulnerability in data leakage within agents and multi-agent systems.
- **Novelty:** The original control flow hijacking paper demonstrates data leakage (using Python and online input vs. SQL in this paper). Outside of changing the language and the input modality, I am struggling to see how this paper differentiates itself from the original. At the very least CFH should be used as a baseline in this work. - **Evaluations:** While any instance of data leakage is potentially catastrophic, in some of the authors' experiments, the attack does not succeed and in other
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAccess Control and Trust · Adversarial Robustness in Machine Learning · Explainable Artificial Intelligence (XAI)