The vulnerability is the automatic insecure rendering of image markdown. One way to trigger it is with an indirect prompt injection payload. The scenario is that the user analyzes some text/data, which contains malicious instructions. The owner of the text doesn't have access to the chat history (it's just some random text somewhere), it could be a comment on a webpage, text inside a pdf file, copy/pasting, or even instructions hidden inside an image the user analyzes and sends to the LLM. You can find many examples of indirect prompt injections on my blog (e.g. analyzing YouTube transcripts,...). Just yesterday I put up a video explaining the various TTPs (and also fixes companies put in place): https://www.youtube.com/watch?v=L_1plTXF-FE Hope that helps.