Navigation agents powered by large language models (LLMs) convert natural language instructions into executable plans and actions. Compared to text-based applications, their security is far more critical: a successful prompt injection attack does not just alter outputs but can directly misguide physical navigation, leading to unsafe routes, mission failure, or real-world harm. Despite this high-stakes setting, the vulnerability of navigation agents to prompt injection remains largely unexplored. In this paper, we propose PINA, an adaptive prompt optimization framework tailored to navigation agents under black-box, long-context, and action-executable constraints. Experiments on indoor and outdoor navigation agents show that PINA achieves high attack success rates with an average ASR of 87.5%, surpasses all baselines, and remains robust under ablation and adaptive-attack conditions. This work provides the first systematic investigation of prompt injection attacks in navigation and highlights their urgent security implications for embodied LLM agents.
@article{arxiv.2601.13612,
title = {PINA: Prompt Injection Attack against Navigation Agents},
author = {Jiani Liu and Yixin He and Lanlan Fan and Qidi Zhong and Yushi Cheng and Meng Zhang and Yanjiao Chen and Wenyuan Xu},
journal= {arXiv preprint arXiv:2601.13612},
year = {2026}
}