GitHub shipped CodeQL 2.26.0 on July 10 with a new static analysis query — js/system-prompt-injection — that traces untrusted user input flowing into AI model system prompts in JavaScript and TypeScript. If your Node.js app passes a request body value into an OpenAI, Anthropic, or Google GenAI SDK system prompt, CodeQL flags it in CI before the code ships. Prompt injection has been the OWASP LLM #1 risk since 2024. It took until now to get native static detection in a mainstream CI tool.
What the Query Actually Does
The js/system-prompt-injection query uses taint analysis — the same technique CodeQL uses to detect SQL injection. It statically traces data flow from untrusted sources (HTTP request parameters, user input, form data) to AI SDK sinks where that data could control model behavior. If the chain is intact, CodeQL raises a SARIF alert showing every step of the contamination path from source to sink.
The vulnerable pattern it targets looks like this:
// CodeQL flags this — req.body.userInstruction reaches the system prompt
const response = await openai.chat.completions.create({
model: "gpt-5",
messages: [
{ role: "system", content: req.body.userInstruction },
{ role: "user", content: userMessage }
]
});
An attacker who controls req.body.userInstruction can override your intended system behavior, redirect tool use, or exfiltrate data the model has access to. CodeQL now catches this at the PR stage rather than in production logs.
SDK Coverage
The 2.26.0 release expanded prompt injection sinks to cover a broader set of AI SDK APIs:
- OpenAI: Sora prompts, Realtime session instructions
- Anthropic: Fable 5 system prompts, legacy completion prompts
- Google GenAI: Cached content,
system_instructionfield
This covers the three SDKs most developers are actually shipping with. If you are using any of them in a JavaScript or TypeScript backend and constructing system prompts dynamically from user data, you are in scope for this query.
Why This Release Lands When It Does
The timing is not coincidental. On July 7, CISA added Langflow (CVE-2026-33017) to the Known Exploited Vulnerabilities catalog — the first AI agent platform to make it in. The RCE was exploited within 20 hours of public disclosure. Attackers systematically pulled OpenAI, Anthropic, and AWS API keys from compromised instances. It is the clearest illustration yet of what happens when AI code is not treated with the same security rigor as the rest of your stack.
CodeQL 2.26 is the tooling response: instead of waiting for a runtime incident, shift the detection left into code review. A developer submits a PR with a vulnerable AI call, CodeQL raises an alert, and Copilot Autofix can propose a fix — before any user has ever touched the endpoint.
How to Enable It
If you are on GitHub.com with GitHub Advanced Security and code scanning already configured, you do not need to do anything. CodeQL 2.26 is automatically deployed, and the new query runs under the security-extended suite. It will appear on your next scheduled scan or PR trigger.
For the CodeQL CLI:
codeql database upgrade
codeql database analyze --format=sarif-latest --output=results.sarif javascript-security-extended.qls
What It Does Not Catch
The js/system-prompt-injection query is JavaScript and TypeScript only. If your AI backend is Python — which describes the majority of production AI systems — you get nothing from this release. CodeQL’s Python support exists, but prompt injection modeling has not been extended there yet.
Static analysis also cannot detect indirect prompt injection: an attacker who places malicious instructions in a document, email, or web page that your AI agent later reads and processes. That attack surface requires runtime monitoring, not code scanning. Same for RAG poisoning and multi-turn conversation hijacking.
What CodeQL catches is the straightforward case: developer code that directly wires user input to a system prompt. It is the most preventable class of the vulnerability, which makes it the right place to start — but the rest remains unaddressed.
The Bigger Picture
Security teams have spent years building tooling that catches SQL injection, XSS, and path traversal at the code level. The same discipline is only now reaching AI-specific vulnerabilities. CodeQL 2.26 is early — incomplete language coverage, no runtime dimension — but it marks the point where prompt injection becomes part of the standard security scan rather than a specialty concern that most teams quietly ignore.
If you are shipping JavaScript or TypeScript AI code, run the scan. If you find alerts, fix them. If you are on Python, keep watching the CodeQL changelog — the gap will close, probably faster than most things have moved in this space.













