Overview
- Noma Security, which disclosed the issue Tuesday, worked with Grafana Labs to validate the findings and trigger a fix.
- The attack starts with a crafted URL path that plants an indirect prompt in entry logs, so no credentials or user clicks are needed.
- Researchers chained gaps in domain checks, a flaw in image-URL validation, and a guardrail bypass using the keyword "intent" to steer the AI to follow attacker instructions.
- Once primed, the AI tries to render an external image and quietly sends sensitive data as URL parameters to an attacker-controlled server.
- Experts say real risk varies by whether AI features and outbound network access are enabled, and they warn that common SIEM and DLP tools may miss this behavior without runtime monitoring.