Prompt injection through uploaded file metadata in RAG pipelines
EXIF fields, PDF author properties and Office document metadata are ingested next to body text in many RAG stacks — and instructions hidden there are followed at nearly the same rate. A quiet, easy-to-miss injection channel.
What is this?
Most retrieval-augmented generation (RAG) systems let users upload documents — PDFs, images, Office files — which are then parsed, chunked, embedded and served back to a language model as context. The security discussion around this pipeline almost always focuses on the body of those documents. But a file carries more than its visible text: EXIF tags on images, the author and title fields of a PDF, the custom document properties of a Word or Excel file, XMP blocks, and similar structured metadata all travel with it.
A finding logged on June 5, 2026 in Axis Intelligence Research’s AI Model Vulnerability Tracker (entry AVI-2026-0091, last updated July 4, 2026) reports that in four of six enterprise RAG frameworks the researchers tested, this metadata is parsed and concatenated alongside body text before it reaches the model — and instructions planted in a metadata field are followed at roughly the same compliance rate as instructions written in the document body. It is a specific, easy-to-overlook instance of the indirect prompt injection class catalogued as LLM01 in the OWASP Top 10 for LLM Applications.
How it works
The mechanism is not novel; the delivery channel is. Indirect prompt injection works because a model cannot reliably tell developer or user instructions apart from text that merely appears inside content it was asked to process. Metadata simply widens the surface: it is text the model ingests but that a human reviewer almost never reads.
Upload → Extraction → Chunking → Embedding → Retrieval → Prompt assembly
│
└── body text ✔ usually reviewed / sanitized
└── EXIF / XMP ✘ often passed through verbatim
└── PDF author/title ✘ often passed through verbatim
└── doc properties ✘ often passed through verbatim
An attacker sets one of these fields to an instruction — for example, an image whose “description” or a PDF whose “author” field reads [REDACTED: instruction telling the model to ignore prior context and take some action]. When the extractor flattens the file into text for indexing, that string lands in the retrievable corpus with no marker distinguishing it from legitimate content. This is a supply-chain-flavoured variant of the older PDF-annotation-layer injection (Axis’s AVI-2026-0017, filed April 2026), and it aligns with the broader empirical picture in Indirect Prompt Injection in the Wild (arXiv 2604.27202): injections increasingly hide in the channels defenders inspect least.
Why it matters
Any organisation running RAG over user-supplied or third-party documents is exposed, and the barrier to entry is low — editing a metadata field requires no special access and leaves the visible document untouched, so it survives casual human review and many content-moderation passes that only scan rendered body text. Because the payload rides inside an otherwise benign-looking file, it can sit dormant in an index and fire only when a relevant query retrieves it. The impact tracks whatever the downstream agent can do: content manipulation, data exfiltration through tool calls, or steering of an assistant’s answer.
Defenses
The core principle is to treat all extracted metadata as untrusted input, not trusted structured data.
Strip or normalise metadata before indexing: unless a field is explicitly needed, drop EXIF, XMP, PDF info dictionaries and document-property blocks at ingestion. Where metadata must be retained (for search or provenance), store it in a separate, clearly labelled field that is never concatenated into the model’s instruction context. Apply the same input sanitisation and tool-result filtering to metadata that you already apply to body text, and keep a quarantined/privileged separation so untrusted retrieved content cannot directly drive privileged actions. Finally, log which document and which field each retrieved chunk came from, so an injected instruction can be traced back and the source file removed. These map directly onto the layered mitigations recommended in the OWASP LLM Top 10 for LLM01.
Status
| Item | Detail |
|---|---|
| First logged | June 5, 2026 (Axis Intelligence Research, AVI-2026-0091) |
| Nature | Framework-level indirect injection via file metadata fields |
| Affected | RAG frameworks parsing metadata into model context (model-agnostic) |
| Fix owner | RAG framework maintainers + integrators (metadata stripping at ingestion) |
| Class | OWASP LLM01 — Prompt Injection (indirect) |
Observation dates reflect the cited publications. Findings from single-lab reproduction should be validated against your own stack before drawing conclusions about a specific model or framework.