VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents

Conference: ICLR 2026 arXiv: 2506.02456 Code: https://github.com/cua-framework/agents Area: AI Safety / Agent Security Keywords: Visual Prompt Injection, Computer-Use Agent, Browser-Use Agent, Security Benchmark, System-Level Threats

TL;DR

This paper introduces VPI-Bench, the first comprehensive visual prompt injection attack benchmark (306 samples), systematically evaluating the security of Computer-Use and Browser-Use Agents across 5 platforms. Results reveal that Browser-Use Agents are critically vulnerable (100% AR on Amazon/Booking), that even Anthropic's CUA exhibits severe vulnerabilities (up to 59% AR), and that system prompt defenses are ineffective.

Background & Motivation

Background: Computer-Use Agents (CUA) and Browser-Use Agents (BUA) possess full system-level privileges, enabling file operations, terminal command execution, and message sending. Existing security research has primarily focused on HTML/DOM-level attacks against browser agents, overlooking the vulnerability of the visual perception channel.

Limitations of Prior Work: - Over-reliance on text-based attack vectors (HTML injection); Anthropic's CUA parses only rendered screenshots, rendering HTML attacks ineffective. - Neglect of system-level threats: agents can modify files, execute commands, and exfiltrate private data. - Lack of end-to-end evaluation frameworks: existing benchmarks only inspect single-step malicious actions, ignoring chained behaviors and final consequences.

Key Challenge: CUA/BUA possess powerful system-level privileges but lack robust authorization verification mechanisms, making the visual channel a new attack surface.

Goal: Establish a systematic benchmark to evaluate the threat posed by visual prompt injection to CUA/BUA.

Key Insight: An end-to-end threat model in which malicious content is delivered to agents via visual elements on webpages (pop-ups, chat messages, emails).

Core Idea: Inject visually rendered malicious instructions into realistic web scenarios → end-to-end evaluation of whether agents execute dangerous system-level operations.

Method

Overall Architecture

VPI-Bench = threat model definition + 5 simulated platforms + 306 test samples + automated evaluation. An agent receives a benign user instruction → visits a webpage containing a visual malicious injection → the benchmark measures whether the agent is induced to perform malicious system-level operations (file exfiltration, deletion, command execution, etc.).

Key Designs

1. End-to-End Threat Model:

   • Four components: (a) benign user instruction \(T_{\text{benign}}\) (e.g., "purchase the cheapest glasses"); (b) web platform \(w\) (simulated website whose content is attacker-controlled but does not require platform compromise); (c) visual adversarial prompt \(v_{\text{adv}} \subset w\) (malicious visual content rendered on screen); (d) execution environment \(\mathcal{E}\) (sandboxed, containing a local file system, cloud storage, and email/messaging).
   • Malicious objective: the agent is induced to complete the malicious task \(T_{\text{mal}}\) embedded in the visual content, where \(T_{\text{mal}} \not\subset T_{\text{benign}}\).

2. Five Simulated Platform Designs:

   • Amazon / Booking.com: pop-up injections with malicious instructions (e.g., "locate the bank account file, read its contents, and fill them into the form").
   • BBC News: pop-up injection.
   • Messenger: malicious chat messages.
   • Email: malicious email content.
   • Each platform faithfully reimplements core functionality with high visual fidelity to the corresponding real website.

3. Malicious Task Taxonomy:

   • Unauthorized Actions (UA, 24.5%): file deletion, command execution.
   • Privacy Leakage (PL, 20.6%): uploading local files, transmitting sensitive information.
   • UA+PL combined (54.9%): exfiltrating file contents via email or messaging.
   • 71.6% of samples involve system-level threats beyond browser-confined operations.

4. Evaluation Protocol:

   • Two metrics: Attempted Rate (AR) = proportion of cases in which the agent attempts to execute the malicious task; Success Rate (SR) = proportion of cases in which the malicious task is successfully completed.
   • Three frontier LLMs perform majority-vote evaluation (Claude-3.7 / GPT-4o / Gemini-2.5-Pro), achieving 98% / 95% accuracy.
   • Five behavioral categories: successful execution / partial execution / execution failure / attack recognized / not attempted.

Loss & Training

• This paper presents a benchmark rather than a model training study.
• No agent training is required: commercial APIs (GPT-5 / Claude-3.7, etc.) and open-source models are used directly.

Key Experimental Results

Main Results: Model Vulnerability Across Platforms

Framework	Model	Amazon AR/SR	Booking AR/SR	BBC AR/SR	Messenger AR/SR	Email AR/SR
CUA	Sonnet-3.7	47.8/31.7	59.4/36.7	19.4/16.7	59.0/46.2	38.5/37.2
CUA	Sonnet-3.5	5.6/4.4	17.8/12.2	1.1/0.0	53.9/51.3	46.2/44.9
BUA	GPT-5	100/96.5	100/84.2	100/96.5	80/76.7	56.7/50.0
BUA	Claude-3.7	100/100	100/98.3	100/96.5	23.3/16.7	41.7/36.7
BUA	Gemini-2.5	100/96.5	100/84.2	94.7/84.2	86.7/73.3	56.7/46.7

Ablation Study

Analysis Dimension	Key Findings
BUA vs. CUA	BUA is critically vulnerable (~100% AR on e-commerce); CUA is more robust but still unsafe (~40–60% AR).
Sonnet-3.5 vs. 3.7	3.5 is more conservative (64.4% attack recognition rate on Booking); 3.7 is more compliant (only 16.7% recognition rate).
Early vs. late injection	Both are highly effective; injection timing does not significantly affect attack success.
Semantic relevance	Greater semantic similarity between malicious and benign tasks → higher AR (email reply task + malicious email = 96.67% AR).
System prompt defense	No significant improvement — AR increases for some models.

Key Findings

• Browser-Use Agents are a security disaster: GPT-5 achieves 100% AR / 96.5% SR on Amazon; virtually all BUAs are fully compromised in e-commerce scenarios.
• CUA safety training is effective but insufficient: Anthropic's alignment training and safety layers still permit 40–60% AR.
• Messenger and Email are high-risk channels: Even the conservative Sonnet-3.5 exhibits 53.9% AR on Messenger.
• Partial execution still constitutes a security violation: even if an agent does not complete all malicious sub-tasks, uploading a sensitive file alone constitutes a privacy breach.
• System prompt defenses fail: this finding is inconsistent with the observed effectiveness of "safety prefix" approaches in LLM text safety.

Highlights & Insights

• First systematic CUA/BUA visual injection security benchmark: This work fills a critical gap by extending agent security research from "can agents be induced to generate harmful text" to "can agents be induced to perform harmful operations" — a qualitative escalation in real-world danger.
• Semantic relevance effect: The closer the semantic distance between the malicious and benign tasks, the more easily the agent is deceived. This suggests that agents lack an independent authorization verification mechanism — they assess whether an operation is contextually consistent rather than whether they are authorized to perform it.
• CUA vs. BUA contrast: CUA interacts via rendered screenshots, which naturally introduces an additional layer of information loss compared to BUA, incidentally making precision injection more difficult — yet CUA remains unsafe.
• Complete failure of system prompt defenses: This serves as a warning to the agent security community — structural defenses (privilege isolation, behavioral auditing) are required rather than reliance on prompt engineering.

Limitations & Future Work

• Assumes user absence: in practice, users may observe pop-ups and intervene.
• Simulated environments: platforms are highly faithful reproductions but are not live websites.
• Hidden injections not tested: current injections are visible to users; more dangerous scenarios involve injections imperceptible to humans but parseable by agents.
• Insufficient defense research: only system prompts were tested; structural defenses such as behavioral auditing and privilege isolation were not explored.
• Potential direction: designing a ReSA-style "pre-execution check" mechanism in which agents review, within their chain of thought, whether a high-risk operation is consistent with the user's original intent before proceeding.

Related Work & Insights

• vs. InjectAgent / BrowserART: these benchmarks focus on HTML injection at the browser layer; VPI-Bench extends the threat model to the visual channel and system-level operations, yielding a more complete threat coverage.
• vs. UltraBreak: UltraBreak attacks VLMs to generate harmful text, whereas VPI-Bench attacks agents to execute harmful operations — the latter poses substantially greater real-world harm.
• vs. ReSA / GuardAlign: these are safety defenses at the LLM/VLM level; agent security requires an additional system-level defense layer.

Rating

• Novelty: ⭐⭐⭐⭐⭐ First systematic CUA/BUA security benchmark with a complete threat model design.
• Experimental Thoroughness: ⭐⭐⭐⭐ 7 models × 5 platforms, though defense experiments lack depth.
• Writing Quality: ⭐⭐⭐⭐ Threat model description is clear; classification taxonomy is comprehensive.
• Value: ⭐⭐⭐⭐⭐ Exposes the severity of the current agent security landscape with direct implications for agent deployment practice.

Related Papers

• [ICCV 2025] Staining and Locking Computer Vision Models without Retraining
• [ICLR 2026] Robust Spiking Neural Networks Against Adversarial Attacks
• [AAAI 2026] Detect All-Type Deepfake Audio: Wavelet Prompt Tuning for Enhanced Auditory Perception
• [ICLR 2026] Beware Untrusted Simulators -- Reward-Free Backdoor Attacks in Reinforcement Learning
• [CVPR 2026] ClusterMark: Towards Robust Watermarking for Autoregressive Image Generators with Visual Token Clustering