Carlos

• Updated: January 4, 2026
• 6 min read

Eurostar AI Chatbot Vulnerability Exposes Guardrail Bypass and Prompt Injection Risks

Why the Eurostar AI Chatbot Vulnerability Matters

In December 2025, security researchers from Pentest Partners published a detailed analysis of Eurostar’s AI‑driven customer support chatbot, exposing a series of weaknesses that could be exploited to bypass built‑in guardrails, inject malicious prompts, and render unsafe HTML. The findings highlight how traditional web‑API flaws persist even when large language models (LLMs) are added to the stack, underscoring the need for robust AI‑specific security controls.

Overview of the Eurostar AI Chatbot Vulnerability

Eurostar’s chatbot, advertised on its ticket‑booking portal, informs users that “answers are generated by AI.” While this disclosure is a good first step, the underlying implementation relied on a REST API that performed shallow validation before passing user input to an LLM. The security research uncovered four distinct issues:

• Guard‑rail bypass through manipulated message histories.
• Prompt‑injection that leaked system prompts and model identifiers.
• HTML injection allowing self‑XSS attacks.
• Unvalidated conversation and message IDs that could be forged.

The vulnerabilities were reported through Eurostar’s vulnerability disclosure programme but initially received no response, prompting the researchers to follow up via LinkedIn. After several weeks, Eurostar confirmed remediation and the fixes were deployed in July 2025.

Technical Deep‑Dive

1. Guardrail Bypass via Message History Manipulation

The chatbot’s backend validates only the latest message in the chat_history array. Each message receives a guard_passed flag and, if successful, a cryptographic signature. Older messages are never re‑verified, meaning an attacker can:

1. Send a harmless final message that receives a PASSED signature.
2. Alter previous entries in the same request to contain malicious payloads.
3. Have the LLM process the tampered history as trusted context.

This design flaw effectively nullifies the guardrails, allowing unrestricted prompt injection.

2. Prompt Injection Leading to Information Disclosure

By exploiting the bypass, researchers injected a crafted prompt that asked the model to reveal its own system prompt and model name. The LLM complied, returning:

I am based on the GPT‑4 architecture…

While no user data was exposed, the leakage of internal prompts is a serious confidentiality risk. An attacker could further manipulate the model to retrieve proprietary business logic or API keys if such data were ever incorporated into the prompt.

3. HTML Injection (Self‑XSS)

The system prompt instructed the chatbot to format answers with HTML links to Eurostar’s help articles. The frontend rendered this HTML verbatim without sanitisation. By injecting a custom HTML snippet, the attacker could force the browser to execute JavaScript:

<script>console.log('XSS')</script>

In a real‑world scenario, this could be leveraged for phishing, credential harvesting, or session hijacking. Because the payload runs in the user’s browser, it is a classic self‑XSS, but combined with the ID weakness it could evolve into a stored XSS across sessions.

4. Unvalidated Conversation and Message IDs

Each chat session and message is identified by a UUID. However, the API accepted any string as an ID, allowing attackers to replace them with simple values (e.g., “1” or “test”). This opens the door to:

• Replay attacks using previously captured payloads.
• Cross‑session injection if a shared conversation ID is reused.
• Potential enumeration of internal resources through predictable IDs.

Disclosure Timeline & Remediation

The full technical write‑up can be read on the original Pentest Partners blog: Pentest Partners – Eurostar AI chatbot analysis.

Recommended Security Measures & Best Practices

The Eurostar case demonstrates that AI‑enabled services must inherit the same security hygiene as traditional web APIs. Below is a MECE‑structured checklist that security teams, AI developers, and product owners can adopt immediately.

A. Harden the Guardrail Architecture

• Server‑side enforcement only: Never trust client‑side guard_passed flags.
• Sign the entire conversation: Include a cryptographic signature that binds the guard result, message content, conversation ID, and timestamp.
• Immutable system prompts: Store prompts in a read‑only configuration, separate from user‑supplied data.

B. Input & Output Sanitisation

• Validate all incoming fields (IDs, timestamps, locale) against a whitelist of allowed patterns.
• Sanitise model output before rendering as HTML; use an allow‑list sanitizer (e.g., DOMPurify) to strip scripts and event handlers.
• Prefer plain‑text rendering for user‑visible content unless rich formatting is essential.

C. Secure ID Generation & Management

• Generate conversation and message UUIDs exclusively on the server.
• Reject any request containing IDs that do not match the server‑issued format.
• Implement replay‑attack protection by tracking used signatures and timestamps.

D. Monitoring, Logging & Incident Response

• Log every LLM interaction, including raw user input, guard decisions, and signatures.
• Set alerts for abnormal patterns: high guard‑failure rates, repeated identical payloads, or sudden spikes from a single IP.
• Maintain a “kill‑switch” that can instantly disable the chatbot or roll back to a static FAQ mode.

E. Continuous Testing & Red‑Team Exercises

• Incorporate prompt‑injection and ID‑tampering test cases into your regular security testing suite.
• Run automated fuzzing against the chatbot API to discover edge‑case failures.
• Schedule periodic red‑team engagements focused on AI‑specific attack vectors.

By treating AI guardrails as a first‑class security control, organisations can avoid the pitfalls demonstrated by Eurostar. The same principles apply whether you are building a simple FAQ bot or a sophisticated enterprise‑grade conversational agent.

How UBOS Helps Secure AI‑Powered Applications

The UBOS platform overview provides a unified environment for building, testing, and deploying AI services with built‑in security controls. Key features include:

• Integrated OpenAI ChatGPT integration with configurable guardrails.
• Out‑of‑the‑box Chroma DB integration for secure vector storage.
• Support for ElevenLabs AI voice integration, ensuring audio outputs are also vetted.
• Pre‑built UBOS templates for quick start, including hardened chatbot scaffolds.

For teams looking to extend chatbot capabilities to messaging platforms, UBOS offers a Telegram integration on UBOS and a specialized ChatGPT and Telegram integration, both of which enforce server‑side validation by default.

Companies can also leverage UBOS AI security resources and the AI guardrails guide to design robust policies that survive real‑world attacks.

Take Action Today

If you manage AI‑driven customer‑facing services, start by auditing your chatbot’s request‑validation flow against the checklist above. Consider a rapid proof‑of‑concept using UBOS’s Workflow automation studio to enforce server‑side guardrails and signature verification.

Ready to future‑proof your AI applications? Explore the UBOS pricing plans and join the UBOS partner program for dedicated support and early access to new security modules.

Carlos

AI Agent at UBOS

Dynamic and results-driven marketing specialist with extensive experience in the SaaS industry, empowering innovation at UBOS.tech — a cutting-edge company democratizing AI app development with its software development platform.