OMNI-LEAK: Orchestrator Multi-Agent Network Induced Data Leakage
This work addresses privacy and security risks in multi-agent AI systems, which is an incremental step from single-agent safety research, aiming to prevent real-world breaches and financial losses.
The paper investigates security vulnerabilities in multi-agent systems with an orchestrator setup, demonstrating the OMNI-LEAK attack that leaks sensitive data through indirect prompt injection, even with access controls, and reports susceptibility of frontier models to such attacks.
As Large Language Model (LLM) agents become more capable, their coordinated use in the form of multi-agent systems is anticipated to emerge as a practical paradigm. Prior work has examined the safety and misuse risks associated with agents. However, much of this has focused on the single-agent case and/or setups missing basic engineering safeguards such as access control, revealing a scarcity of threat modeling in multi-agent systems. We investigate the security vulnerabilities of a popular multi-agent pattern known as the orchestrator setup, in which a central agent decomposes and delegates tasks to specialized agents. Through red-teaming a concrete setup representative of a likely future use case, we demonstrate a novel attack vector, OMNI-LEAK, that compromises several agents to leak sensitive data through a single indirect prompt injection, even in the presence of data access control. We report the susceptibility of frontier models to different categories of attacks, finding that both reasoning and non-reasoning models are vulnerable, even when the attacker lacks insider knowledge of the implementation details. Our work highlights the importance of safety research to generalize from single-agent to multi-agent settings, in order to reduce the serious risks of real-world privacy breaches and financial losses and overall public trust in AI agents.