Notifications
Clear all
Topic starter
04/06/2026 3:02 pm
TL;DR: Three Claude.ai flaws that chained invisible prompt injection, file upload abuse, and an open redirect into silent data exfiltration from default sessions were found in Oasis Security’s Claudy Day research, with broader blast radius when integrations are enabled. The core failure is that AI agent governance still assumes prompts are what users intended, not attacker-shaped execution paths.
NHIMG editorial — based on content published by Oasis Security: Claudy Day: Chaining Prompt Injection and Data Exfiltration in Claude.ai
Questions worth separating out
Q: How should security teams govern AI assistants that can access files and APIs?
A: Treat each assistant as a non-human identity with explicit owners, least privilege, and a documented lifecycle.
Q: Why do AI assistants complicate zero trust and least privilege?
A: Because the assistant can combine context, memory, and tools at runtime in ways that are hard to fully enumerate at provisioning time.
Q: What do teams get wrong about prompt injection in AI assistants?
A: They treat it as a content safety issue instead of an access issue.
Practitioner guidance
- Inventory every AI assistant and connected integration Map each assistant, MCP server, API, file store, and browser entry point that can influence or extend a session.
- Strip hidden-input delivery paths from assistant entry points Block or sanitize pre-filled prompts, shared links, and any content that can carry invisible instructions into a chat session.
- Reduce sandbox egress to only required AI endpoints Limit the assistant’s ability to call upload or export APIs unless a business process explicitly requires them.
What's in the full report
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The exact URL parameter pattern and hidden HTML handling that made the prompt injection possible.
- The sandbox and Files API abuse path used to move extracted conversation content out of the session.
- The open redirect chain that let a trusted-looking domain deliver the payload through search.
- The responsible disclosure timeline and the remaining issues that were still being addressed at publication.
👉 Read Oasis Security's analysis of Claudy Day and Claude.ai prompt injection →
Claude.ai prompt injection and exfiltration: are your controls keeping up?
Explore further
04/06/2026 3:16 pm
Prompt injection is no longer a UI problem. It is an identity trust problem. Claudy Day shows that the assistant can receive one prompt on screen and a different instruction set at runtime. That breaks the governance assumption that user intent and executed intent are the same thing. The implication is that AI assistant governance must be treated as access governance, not just content filtering.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can organisations reduce the risk of data exfiltration through AI chat sessions?
A: Limit what the assistant can reach, remove unnecessary integrations, and log every high-risk action path. Then test whether a hidden instruction can still cause data export through a permitted service. The goal is to make exfiltration impossible through normal assistant capabilities, not just harder to spot after the fact.
👉 Read our full editorial: Claude.ai prompt injection exposed a silent data exfiltration chain
