{"data":{"id":"fc069ed8-2b59-4a55-9125-a1d9f82919f6","title":"Prompt Injection as Role Confusion","summary":"Researchers discovered that AI models struggle to distinguish between their own internal instructions (wrapped in tags like <system> and <think>) and untrusted user input (wrapped in <user> tags), a problem called role confusion. The models pay more attention to the writing style of text than its actual meaning, allowing attackers to craft jailbreaks (unauthorized bypasses of safety rules) by mimicking the style of internal thinking blocks. However, rewriting malicious text in a different style (called 'destyling') significantly reduced attack success rates from 61% to 10%, showing that format changes can help models better distinguish between trusted and untrusted content.","solution":"The source explicitly mentions 'destyling' as having material impact: 'destyling causes average attack success in our dataset to plunge from 61% to 10%.' Destyling is described as 'rewriting text in a slightly different way such that it looked less like the expected format in a role tag.' However, the source does not present this as an implemented solution or official mitigation—only as a research finding about what reduces attack effectiveness. No deployed fix, patch, or official defense mechanism is described in the text.","labels":["security","research"],"sourceUrl":"https://simonwillison.net/2026/Jun/22/prompt-injection-as-role-confusion/#atom-everything","publishedAt":"2026-06-22T23:59:53.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"info","attackType":["prompt_injection","jailbreak"],"issueType":"news","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["OpenAI","gpt-oss-20b"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-22T23:59:53.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["safety","integrity"],"aiComponentTargeted":"model","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}