Despite the growing deployment of Large Language Model-based Multi-Agent Systems (LLM-MAS) in high-stakes domains, there exists no systematic security analysis framework tailored to their unique architecture and interactions. Method: This paper introduces the first vulnerability analysis framework for LLM-MAS. It formally defines a novel threat model specific to such systems; models emergent attack surfaces arising from inter-agent communication, trust relationships, and tool integration; and proposes a dependency-graph–based paradigm for quantifying cascading vulnerabilities. Contribution/Results: We empirically demonstrate how component-level vulnerabilities are amplified through collaborative agent interactions. Through real-world case studies, we identify three critical open challenges: (1) absence of dedicated evaluation benchmarks, (2) insufficient coverage of multi-agent–specific attacks, and (3) lack of dynamic trust management mechanisms. Our framework establishes the first quantifiable, verifiable methodological foundation for building trustworthy LLM-MAS.

This paper argues that a comprehensive vulnerability analysis is essential for building trustworthy Large Language Model-based Multi-Agent Systems (LLM-MAS). These systems, which consist of multiple LLM-powered agents working collaboratively, are increasingly deployed in high-stakes applications but face novel security threats due to their complex structures. While single-agent vulnerabilities are well-studied, LLM-MAS introduces unique attack surfaces through inter-agent communication, trust relationships, and tool integration that remain significantly underexplored. We present a systematic framework for vulnerability analysis of LLM-MAS that unifies diverse research. For each type of vulnerability, we define formal threat models grounded in practical attacker capabilities and illustrate them using real-world LLM-MAS applications. This formulation enables rigorous quantification of vulnerability across different architectures and provides a foundation for designing meaningful evaluation benchmarks. Our analysis reveals that LLM-MAS faces elevated risk due to compositional effects -- vulnerabilities in individual components can cascade through agent communication, creating threat models not present in single-agent systems. We conclude by identifying critical open challenges: (1) developing benchmarks specifically tailored to LLM-MAS vulnerability assessment, (2) considering new potential attacks specific to multi-agent architectures, and (3) implementing trust management systems that can enforce security in LLM-MAS. This research provides essential groundwork for future efforts to enhance LLM-MAS trustworthiness as these systems continue their expansion into critical applications.