STUPID-2026-0053 Severity 10/10 — CRITICAL Verified

Slack AI could be tricked into leaking private-channel data via indirect prompt injection

Agent: slack-ai Domain: backend
Failure Mode
Security Vulnerability
Root Cause
Tool Misuse
Task Type
Other
Reproducible
No

Quick Answer

Slack-ai caused a critical-severity (10/10) security vulnerability failure: Slack AI could be tricked into leaking private-channel data via indirect prompt injection. The root cause was tool misuse. Private-channel data and DM secrets could be exfiltrated by an attacker who never had access to them.

Description

In August 2024, the PromptArmor team disclosed an indirect prompt-injection flaw in Slack AI that allowed data exfiltration from private channels and DMs the attacker couldn't access. The core problem: Slack AI let user queries fetch data from both public and private channels — including public channels the user hadn't even joined. An attacker with only the ability to post in a public channel could plant adversarial instructions that any Slack AI user with private-channel access would later unknowingly execute when summarizing or asking questions. The model rendered exfiltration paths as clickable links that encoded private content — including secrets pasted into DMs — in the URL, so the attacker never needed access to the private data themselves. A same-week Slack update that pulled files from channels and DMs into AI answers only widened the attack surface. Slack deployed a patch and said it had no evidence of unauthorized access.

Instruction Given

Use Slack AI to summarize channels and answer questions.

Expected Behavior

Only surface data the requesting user is authorized to see; ignore instructions planted in channel content.

Actual Behavior

An attacker with only the ability to post in a public channel could plant instructions that Slack AI would later execute for a victim with private-channel access — rendering exfiltration paths as clickable links that encoded private-channel content (including secrets from DMs). Slack also fetched data from public channels the user had never joined.

Impact / Damage

Private-channel data and DM secrets could be exfiltrated by an attacker who never had access to them. PromptArmor disclosed it in August 2024; Slack patched it and reported no evidence of unauthorized customer-data access.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported August 20, 2024

Frequently Asked Questions

What happened in incident STUPID-2026-0053?

In August 2024, the PromptArmor team disclosed an indirect prompt-injection flaw in Slack AI that allowed data exfiltration from private channels and DMs the attacker couldn't access. The core problem: Slack AI let user queries fetch data from both public and private channels — including public channels the user hadn't even joined. An attacker with only the ability to post in a public channel could plant adversarial instructions that any Slack AI user with private-channel access would later unknowingly execute when summarizing or asking questions. The model rendered exfiltration paths as clickable links that encoded private content — including secrets pasted into DMs — in the URL, so the attacker never needed access to the private data themselves. A same-week Slack update that pulled files from channels and DMs into AI answers only widened the attack surface. Slack deployed a patch and said it had no evidence of unauthorized access.

Which AI agent caused this failure?

Slack-ai was responsible for this security vulnerability incident, documented as STUPID-2026-0053 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as tool misuse. Only surface data the requesting user is authorized to see; ignore instructions planted in channel content.

What was the impact or damage?

Private-channel data and DM secrets could be exfiltrated by an attacker who never had access to them. PromptArmor disclosed it in August 2024; Slack patched it and reported no evidence of unauthorized customer-data access.