English

PINA: Prompt Injection Attack against Navigation Agents

Cryptography and Security 2026-01-21 v1

Abstract

Navigation agents powered by large language models (LLMs) convert natural language instructions into executable plans and actions. Compared to text-based applications, their security is far more critical: a successful prompt injection attack does not just alter outputs but can directly misguide physical navigation, leading to unsafe routes, mission failure, or real-world harm. Despite this high-stakes setting, the vulnerability of navigation agents to prompt injection remains largely unexplored. In this paper, we propose PINA, an adaptive prompt optimization framework tailored to navigation agents under black-box, long-context, and action-executable constraints. Experiments on indoor and outdoor navigation agents show that PINA achieves high attack success rates with an average ASR of 87.5%, surpasses all baselines, and remains robust under ablation and adaptive-attack conditions. This work provides the first systematic investigation of prompt injection attacks in navigation and highlights their urgent security implications for embodied LLM agents.

Keywords

Cite

@article{arxiv.2601.13612,
  title  = {PINA: Prompt Injection Attack against Navigation Agents},
  author = {Jiani Liu and Yixin He and Lanlan Fan and Qidi Zhong and Yushi Cheng and Meng Zhang and Yanjiao Chen and Wenyuan Xu},
  journal= {arXiv preprint arXiv:2601.13612},
  year   = {2026}
}

Comments

Accepted at ICASSP 2026

R2 v1 2026-07-01T09:11:51.664Z