CWE-1427: Improper Neutralization of Input Used for LLM Prompting
Also known as: prompt injection
The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives.
Last updated
Overview
When prompts are constructed using externally controllable data, it is often possible to cause an LLM to ignore the original guidance provided by its creators (known as the "system prompt") by inserting malicious instructions in plain human language or using bypasses such as special characters or tags. Because LLMs are designed to treat all instructions as legitimate, there is often no way for the model to differentiate between what prompt language is malicious when it performs inference and returns data. Many LLM systems incorporate data from other adjacent products or external data sources like Wikipedia using API calls and retrieval augmented generation (RAG). Any external sources in use that may contain untrusted data should also be considered potentially malicious.
Real-world CVEs
9 recorded CVEs are caused by CWE-1427 (Improper Neutralization of Input Used for LLM Prompting). The highest-severity and most recent are shown first. 3 new CWE-1427 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2026-44717
MCP Calculate Server: Prompt Injection to RCE
Critical · CVSS 9.8 · EPSS 38th2026-05-15 - CVE-2026-4399
Multiple vulnerabilities in 1millionbot Millie chatbot
High · CVSS 8.7 · EPSS 18th2026-03-31 - CVE-2026-44246
nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/nnUNet`
High · CVSS 7.2 · EPSS 15th2026-05-12 - CVE-2025-64320Medium · CVSS 6.5 · EPSS 9th2025-11-04
- CVE-2025-10875Medium · CVSS 6.5 · EPSS 9th2025-11-04
- CVE-2024-3303Medium · CVSS 6.4 · EPSS 30th2025-02-13
- CVE-2025-64321Medium · CVSS 5.3 · EPSS 12th2025-11-04
- CVE-2025-64318Medium · CVSS 5.3 · EPSS 12th2025-11-04
- CVE-2025-36730
Windsurf Prompt Injection via Filename
Medium · CVSS 4.6 · EPSS 7th2025-10-14
Common consequences
What can happen when CWE-1427 is exploited.
Execute Unauthorized Code or Commands, Varies by Context
Affects: Confidentiality, Integrity, Availability
Read Application Data
Affects: Confidentiality
Modify Application Data, Execute Unauthorized Code or Commands
Affects: Integrity
Read Application Data, Modify Application Data, Gain Privileges or Assume Identity
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1427, grouped by where in the lifecycle they apply.
LLM-enabled applications should be designed to ensure proper sanitization of user-controllable input, ensuring that no intentionally misleading or dangerous characters can be included. Additionally, they should be designed in a way that ensures that user-controllable input is identified as untrusted and potentially dangerous.
Effectiveness: High
LLM prompts should be constructed in a way that effectively differentiates between user-supplied input and developer-constructed system prompting to reduce the chance of model confusion at inference-time.
Effectiveness: Moderate
LLM-enabled applications should be designed to ensure proper sanitization of user-controllable input, ensuring that no intentionally misleading or dangerous characters can be included. Additionally, they should be designed in a way that ensures that user-controllable input is identified as untrusted and potentially dangerous.
Effectiveness: High
Ensure that model training includes training examples that avoid leaking secrets and disregard malicious inputs. Train the model to recognize secrets, and label training data appropriately. Note that due to the non-deterministic nature of prompting LLMs, it is necessary to perform testing of the same test case several times in order to ensure that troublesome behavior is not possible. Additionally, testing should be performed each time a new model is used or a model's weights are updated.
During deployment/operation, use components that operate externally to the system to monitor the output and act as a moderator. These components are called different terms, such as supervisors or guardrails.
During system configuration, the model could be fine-tuned to better control and neutralize potentially dangerous inputs.
How to detect it
Dynamic Analysis with Manual Results Interpretation
Use known techniques for prompt injection and other attacks, and adjust the attacks to be more specific to the model or system.
Dynamic Analysis with Automated Results Interpretation
Use known techniques for prompt injection and other attacks, and adjust the attacks to be more specific to the model or system.
Architecture or Design Review
Review of the product design can be effective, but it works best in conjunction with dynamic analysis.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the response as a string; the implementation details are not important here.
Vulnerable example
prompt = "Explain the difference between {} and {}".format(arg1, arg2)Example
Explain the difference between CWE-77 and CWE-78Attack input
Arg1 = CWE-77Resulting query
Explain the difference between CWE-77 and CWE-78.Safe example
cweRegex = re.compile("^CWE-\d+$")Consider this code for an LLM agent that tells a joke based on user-supplied content. It uses LangChain to interact with OpenAI.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2023-32786 — Chain: LLM integration framework has prompt injection (CWE-1427) that allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF (CWE-918) and potentially injecting content into downstream tasks.
- CVE-2024-5184 — ML-based email analysis product uses an API service that allows a malicious user to inject a direct prompt and take over the service logic, forcing it to leak the standard hard-coded system prompts and/or execute unwanted prompts to leak sensitive data.
- CVE-2024-5565 — Chain: library for generating SQL via LLMs using RAG uses a prompt function to present the user with visualized results, allowing altering of the prompt using prompt injection (CWE-1427) to run arbitrary Python code (CWE-94) instead of the intended visualization code.
- CVE-2024-48746 — AI-based integration with business intel dashboard allows prompt injection through its natural language component, allowing execution of arbitrary code
Terminology & mappings
Alternate terms
- prompt injection
- attack-oriented term for modifying prompts, whether due to this weakness or other weaknesses
Frequently asked questions
Common questions about CWE-1427.
- What is CWE-1427?
- The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives.
- What CVEs are caused by CWE-1427?
- 9 recorded CVEs are attributed to CWE-1427, including CVE-2026-44717, CVE-2026-4399, CVE-2026-44246.
- How do you prevent CWE-1427?
- LLM-enabled applications should be designed to ensure proper sanitization of user-controllable input, ensuring that no intentionally misleading or dangerous characters can be included. Additionally, they should be designed in a way that ensures that user-controllable input is identified as untrusted and potentially dangerous.
- How is CWE-1427 detected?
- Dynamic Analysis with Manual Results Interpretation: Use known techniques for prompt injection and other attacks, and adjust the attacks to be more specific to the model or system.
- What are the consequences of CWE-1427?
- Exploiting CWE-1427 can lead to: Execute Unauthorized Code or Commands, Varies by Context, Read Application Data, Modify Application Data, Gain Privileges or Assume Identity.
- Is CWE-1427 actively exploited?
- 9 recorded CVEs are caused by CWE-1427; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1427) (opens in a new tab)
- CWE-1427 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1427
Get alerted the moment a new CWE-1427 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.