ArXiv ACIArena: The First Benchmark for Prompt Injection Attacks Across AI Agent Chains

A new type of prompt injection attack

Multi-agent systems (LangGraph, AutoGen, CrewAI, OpenAI Swarm) are growing in popularity for tasks that require coordinating multiple AI agents. But every agent communicating with another agent represents a new attack surface — and according to a new paper published on April 10, this surface is dangerously underexplored.

The team led by An introduces ACIArena — the first systematic benchmark for agent cascading injection (ACI). This is a family of attacks in which:

1. An attacker injects a malicious prompt into one component of the system (e.g., a document the first agent reads)
2. The first agent processes the input and forwards the “processed” result to the next agent
3. The malicious content “presents” itself as legitimate intra-system communication
4. Subsequent agents treat the compromised data as trustworthy
5. The chain continues until someone executes a dangerous action

What the benchmark contains

ACIArena covers 1,356 test cases across 6 multi-agent implementations. The test cases cover:

• Different input vectors (documents, web pages, API responses)
• Different agent topologies (sequential, parallel, hierarchical)
• Different types of final actions (reading files, writing code, sending emails, executing shell commands)

Why this matters

Most current security studies focus on single-agent scenarios — where the user talks directly to one model. But real-world production deployments increasingly rely on agent chains in which one agent trusts the results of another. ACIArena formally measures how weak this “trust between agents” is.

For development teams already using LangGraph and AutoGen, this benchmark should become a mandatory part of security evaluation prior to production deployment. The absence of such a benchmark so far has meant that attacks were only discovered after incidents.