Safe to Check, Unsafe to Use: Relinking at the Compression Boundary of LLM Agents

📅 2026-06-19
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses a critical security vulnerability in large language model (LLM) agents arising from summary-based prompt compression, wherein an attacker can exploit a “relinking” flaw to reassemble dispersed benign fragments into a coherent malicious instruction during compression. The paper introduces, for the first time, the concept of “adversarial relinking” along with a formal model and presents Relink, an automated attack tool that achieves stealthy exploitation without embedding explicit malicious payloads. To counter this threat, the authors propose KBRA, a knowledge-guided boundary realignment defense mechanism. Experimental evaluation across four long-context agent benchmarks demonstrates that Relink achieves an attack success rate of up to 86.9%, while KBRA effectively reduces backend execution rates to 0.0%, substantially outperforming existing defenses.
📝 Abstract
Summarization-based prompt compression is increasingly used by LLM agents to shorten long, distributed contexts, but it shifts the security boundary: filters inspect the pre-compression prompt while the backend acts on a newly generated compressed context. We identify relinking, a compression-boundary vulnerability where the compressor behaves as a confused deputy, summarizing distributed, locally benign fragments into a complete malicious instruction. Unlike prompt injection, relinking need not place an explicitly malicious payload in the source context. We show that relinking arises from summarization itself: attention makes separated fragments jointly available, pre-training makes compatible fragments plausible to connect, and post-training favors compact backend-actionable summaries. We formalize the attacker-induced form as adversarial relinking and present Relink, an automated DSL-based tool that splits malicious payloads into benign fragments while keeping the complete payload absent before compression. Across four long-context agent benchmarks, Relink achieves 86.9% Relink Rate and Backend Action Rate versus 17.0% for clean-split controls. Existing defenses fail to reliably capture adversarial relinking; our KBRA defense reduces residual Backend Action Rate to 0.0%.
Problem

Research questions and friction points this paper is trying to address.

relinking
prompt compression
LLM agents
security vulnerability
adversarial relinking
Innovation

Methods, ideas, or system contributions that make the work stand out.

relinking
prompt compression
adversarial relinking
confused deputy
LLM security
🔎 Similar Papers