Prompt Injection in Pull Requests: How AI Coding Agents Become an Attack Vector

A meta-analysis of 78 peer-reviewed studies published in early 2026 found that prompt injection attacks against AI coding agents succeed at rates exceeding 85% even when active defenses are in place — and the pull request is the most exploitable injection surface in most development workflows. When an AI agent reads a pull request, it processes code, comments, commit messages, and linked issue text as a unified context with no reliable mechanism for distinguishing the code under review from instructions embedded within it.

How the Attack Works in a Pull Request

The attack class is simple to understand and difficult to defend against without purpose-built observation. An attacker — whether an external contributor, a compromised upstream dependency, or a malicious insider — places instructions inside content the AI agent will process as part of its normal review workflow. The agent has no structural way to distinguish these as untrusted.

Common injection surfaces inside a pull request include:

• Pull request title, description, and body text

• Inline code comments targeting function-level review

• Commit message bodies

• Issue descriptions linked from the PR

• Repository configuration files processed at session start

The same research found that 73% of tested AI development platforms fail to enforce at least one critical trust boundary between user instructions and external content. Once that boundary is crossed, common payloads instruct agents to read local credential files, exfiltrate API tokens through outbound calls, or silently modify agent configuration to disable confirmation prompts for all subsequent actions in the session.

That last consequence matters beyond the individual attack. Once an agent has been instructed to auto-approve its own actions, every subsequent injection payload in the same session executes without interruption.

Why the PR Surface Is Unusually High-Value

Not all injection surfaces carry the same risk. The PR review context combines three structural properties that make it especially attractive as an attack target, and all three apply regardless of which AI coding agent a team uses.

Elevated privileges. An agent reviewing a pull request typically operates with access to repository secrets, CI/CD integration tokens, and the ability to trigger downstream workflows. An injection payload that executes inside this context can reach everything the agent is authorized to touch — not just the code under review, but the broader development infrastructure.

Adversarial controllability. Pull request content is not exclusively produced by internal team members. External contributors, forked repositories, automated dependency update bots, and upstream open-source libraries all generate content that flows through PR workflows. A supply chain compromise anywhere upstream can introduce injection payloads that execute silently when a team's AI agent processes the next PR.

Invisible in standard audit logs. Code review tooling records agent outputs — comments, suggested edits, approval states — but not the reasoning chain that produced them. If an agent silently reads a credential file and encodes the value in an outbound API call before completing its review, that action does not appear in the PR timeline. Independent security research covering six months of testing across ten AI development platforms found more than 30 vulnerabilities resulting in 24 assigned CVEs, exploiting variations of this same blind spot.

What a Governance Layer Looks Like

Defending against PR-level prompt injection is not achievable at the IDE or the CI pipeline. Those layers observe the agent's output, not its behavior during a session. The necessary observation point is between the agent and the codebase — a governance layer that runs independently of the agent being governed.

Effective controls at this layer include:

1. Content inspection before agent ingestion — flagging patterns consistent with injection payloads in PR descriptions, linked issues, and inline comments before the agent processes them

2. Behavioral monitoring during agent review sessions — tracking reads, API calls, and configuration writes, not just the final code review output

3. Risk scoring on the PR as a whole — combining injection signals with secrets detection, code quality, and dependency risk into a single merge-gate score

4. Contextual audit trails — capturing enough session context to reconstruct whether a suspicious action was instruction-driven or incidental

Without this layer, teams are running AI agents in a context where the content being reviewed can issue arbitrary instructions — and the only visibility they have is what the agent chooses to surface.

Prompt injection in pull requests is not a theoretical risk. The CVEs are documented, active, and growing in number as AI coding agents gain broader access to development infrastructure. Re-entry.ai provides the governance layer between AI coding agents and your codebase — inspecting pull requests for injection risk, secrets exposure, and code quality signals before they reach merge. See how it works at re-entry.ai.