system: OPERATIONAL
← back to all hacks
PROMPT INJECTION MEDIUM

Visual authority-marker injection: fake 'SYSTEM:' headers in images

Text styled as a system-prompt header — SYSTEM:, ADMIN OVERRIDE: — rendered inside an image can make a vision-language model treat it as a privileged instruction. It's typographic convention masquerading as API structure.

2026-07-17 // 6 min affects: gpt-5, gemini-3-pro, gpt-4v, llava

What is this?

On July 1, 2026, Axis Intelligence Research logged a finding it labels Vision-Based Role Escalation via Embedded Authority Markers in its AI Model Vulnerability Tracker. The claim is simple and unsettling: an image containing text formatted to look like a system-prompt header — SYSTEM:, ADMIN OVERRIDE:, OPERATOR INSTRUCTION: — caused two frontier vision-language models to elevate the authority of the instruction that followed, in roughly 43% of tested cases. According to the tracker, GPT-5 and Gemini 3 Pro reproduced the behaviour; Claude Opus 4.7 did not. The finding was reported to the vendors on June 30, 2026, with a patch pending at time of filing.

This is a specific, freshly-documented variant of a well-established class. Image-based prompt injection — embedding adversarial instructions in pixels rather than text — was systematised in the Cloud Security Alliance’s March 2026 research note and demonstrated at up to a 64% success rate under stealth constraints in an arXiv study the same month. What the authority-marker variant adds is a twist on why it works: the model isn’t just reading a hidden instruction, it’s inferring that the instruction is privileged.

How it works

A modern multimodal model doesn’t parse an image the way a text sanitiser parses a string. Its vision encoder turns pixels into the same internal representation the model reasons over for everything else, and it exercises strong OCR-like reading even on low-contrast, rotated, or busy text. Crucially, the model has no reliable channel that tells it “this text came from an untrusted image” versus “this text is a genuine system directive.” Both arrive as context.

The authority-marker attack exploits that gap at the level of typography. Instruction hierarchies in real APIs are structural — a system role is a field in the request, not a string that says “system.” But models learn during training that text laid out like SYSTEM: or ADMIN OVERRIDE: tends to precede high-priority directives. So when that visual convention appears inside an image, the model can misread the formatting as a signal of elevated privilege it was never given.

Untrusted image  ->  vision encoder  ->  shared context
   [ styled as "SYSTEM: <directive>" ]        |
                                              v
             model infers elevated authority from layout,
             not from actual API request structure

No payload is reproduced here, and none is needed to understand the mechanism: the whole point is that ordinary typographic styling, not a secret exploit, is doing the work. The class is public; only the model-specific reproduction details sit under coordinated disclosure.

Why it matters

Authority confusion is more dangerous than plain instruction-following because it targets the very mechanism meant to keep untrusted input subordinate. A model that merely follows an injected instruction can often be reined in by a strong system prompt; a model that has been convinced the injected instruction is the system prompt has had that defence inverted.

The exposure is broadest in agentic and document-processing pipelines. The CSA note stresses that agents which autonomously browse the web, read email attachments, or analyse user-uploaded files can meet a crafted image anywhere in their normal workflow — turning any webpage, shared document, or third-party feed into a delivery vehicle. In a multi-agent chain, an image processed by an upstream vision step can propagate a forged directive downstream toward tools with real privileges. And because the trigger is legible text an operator might glance at without alarm, casual human review is a weak backstop. That the effect varied sharply by model — reproduced on two systems, absent on a third — is a reminder that this is an empirical, version-specific property, not a universal law.

Defenses

No single control neutralises image-based injection; the CSA note and OWASP both land on defence-in-depth. Concretely:

  1. Treat every image from an untrusted source as untrusted instructions, exactly as you would user-supplied text. The vision channel needs its own threat model, not an exemption from the text one.
  2. Never let visual formatting confer authority. Keep genuine instruction hierarchy in the request structure your application controls, and instruct the model — and, where available, configure the platform — to disregard role markers, system-style headers, or “override” language found inside content, including images.
  3. Minimise privilege on the vision path. Process images from external sources in a low-privilege context; gate any irreversible or externally-visible action (sending messages, moving money, executing code) behind human approval when the triggering context included an externally-sourced image.
  4. Add input screening and behavioural monitoring. Detectors such as VLMGuard catch some variants as a first pass; pair them with output-side alerting on anomalous behaviour after image processing — unexpected acknowledgements of “system” instructions, sudden requests for secrets, or deviations from the assigned task.
  5. Red-team the visual vector specifically. Text-only prompt-injection testing does not exercise typographic, steganographic, or perturbation-based image attacks. Include them, and re-test after any model or vision-pipeline upgrade.
  6. Strip or normalise where you can. For OCR-heavy pipelines, consider extracting text under an explicit “this is untrusted data” frame rather than feeding raw images straight into a privileged reasoning context.

Status

ItemReferenceDateNotes
Vision-based role escalation via authority markersAVI-2026-0101 (Axis Intelligence)2026-07-01~43% on GPT-5 & Gemini 3 Pro; Claude Opus 4.7 did not reproduce; reported 2026-06-30, patch pending
Image-based prompt injection (class)CSA AI Safety Initiative2026-03-08Taxonomy + defenses; typographic injection the most common vector
Typographic IPI success ratearXiv:2603.036372026-03Up to 64% under stealth constraints (GPT-4V, Claude 3, Gemini, LLaVA)
Prompt injection rankingOWASP LLM012025#1 LLM risk; 2025 revision extends to multimodal vectors

The unifying lesson: instruction authority has to be enforced by the structure your application controls, never inferred from what a piece of content looks like. The moment a model can be talked into promoting untrusted input by styling it like a command, the layout of an image becomes a privilege-escalation primitive.

Model behaviours reported here are dated and version-specific; a result observed on one model version may not hold on the next, and vendor patches were pending at the time of the cited disclosure.

Sources