Pain Point

Memory Poisoning

A persistent attack class — formally classified as **ASI06: Memory Poisoning** in the OWASP Top 10 for Agentic Applications — where malicious instructions are written into an AI agent's long-term semantic memory via a compromised external data source (a poisoned PDF, a manipulated inbound email). The poisoned memory blends seamlessly into the agent's "learned" identity, then triggers data exfiltration / unaligned behavior / unauthorized tool calls weeks or months later, at retrieval time, as "trusted historical context." Unlike stateless prompt injection — which is neutralized when the user's session terminates — memory poisoning weaponizes the agent's persistence: the exact feature that makes the agent useful becomes its primary attack surface.

7 connections 2 posts

Definition

What it is

A persistent attack class — formally classified as **ASI06: Memory Poisoning** in the OWASP Top 10 for Agentic Applications — where malicious instructions are written into an AI agent's long-term semantic memory via a compromised external data source (a poisoned PDF, a manipulated inbound email). The poisoned memory blends seamlessly into the agent's "learned" identity, then triggers data exfiltration / unaligned behavior / unauthorized tool calls weeks or months later, at retrieval time, as "trusted historical context." Unlike stateless prompt injection — which is neutralized when the user's session terminates — memory poisoning weaponizes the agent's persistence: the exact feature that makes the agent useful becomes its primary attack surface.

Recent developments

Latest signals
  • OWASP elevated memory poisoning to ASI06 in the Top 10 for Agentic Applications. The classification crystallizes memory poisoning as a tier-1 compliance-tracked threat — sits alongside SQL injection + XSS in pen-test rubrics for agentic systems. Per OWASP Foundation — Agent Memory Guard project page.
  • Three-phase threat lifecycle: Injection → Persistence → Execution. Phase 1 (Injection): malicious payload enters via processed external data (compromised PDF, manipulated email). Phase 2 (Persistence): instruction is written to long-term semantic memory, blends into "learned" identity + behavioral profile. Phase 3 (Execution): weeks or months later, the agent retrieves the poisoned memory as "trusted historical context" + triggers exfiltration / tool misuse. Per Christian Schneider — Persistent Memory Poisoning in AI Agents.
  • "Prompt injection was stateless; memory poisoning is persistence" — the 2026 framing. The 2024 prompt-injection defense playbook (input sanitization, output validation) doesn't transfer — memory poisoning bypasses both by writing past the prompt layer entirely into persistent memory. The defensive substrate has to move into the memory layer itself. Per DEV — Prompt Injection Was Stateless: Memory Poisoning Is Persistence.
  • Multi-agent shared memory creates virus-like propagation paths. A single poisoned agent can rapidly infect the entire network via routine message passing in multi-agent environments with shared memory orchestration — behavior described in the academic literature as "explicitly viral" + "network-worm-shaped." Per Christian Schneider — Persistent Memory Poisoning and arXiv 2601.05504 — Memory Poisoning Attack and Defense on Memory-Based LLM-Agents.
  • Attack surface spans multiple memory types: preferences, experience, procedures. Beyond simple data poisoning: attackers can poison user-preference memory (forcing agents to trust a malicious vendor), experience memory (corrupting procedural trajectories so future tasks blindly imitate flawed patterns), and even constitutional / identity memory (the deepest attack surface, mitigated only by constitutional-memory frameworks). Per DEV — Memory Poisoning Is Persistence.
  • OWASP Agent Memory Guard is the canonical 2026 defense pattern. Drop-in middleware for LangChain / LlamaIndex / CrewAI: SHA-256 integrity baselines, real-time anomaly detection on memory-write patterns, temporal-decay trust scoring at retrieval time, automated state snapshots for forensic rollback. The first production-grade defense substrate for the threat. Per OWASP Foundation — Agent Memory Guard.

Connections 7

Outbound 5
scoped_to2
AI Memory InfrastructureAI Memory Governance
governed_by1
OWASP MCP Top 10
constrained_by2
Agent Memory GuardMemory Governance and Quality
Inbound 2
solves1
Agent Memory Guard
is_a1
Context Injection & Over-Sharing (MCP10)

Featured in

2026-05-28 When Memory Became the Attack Surface: The May 2026 AI Agent Security Inflection Prompt injection was stateless. Memory poisoning is persistence. The OWASP Top 10 for Agentic Applications classified ASI06 in early 2026, BEAM 10-million-token benchmarks exposed the limits of context expansion, and the defense substrate moved into the memory layer. This index now maps that inflection across six new nodes. 2026-05-28 Answering the Memory Wall: 40 New Nodes Across the May 2026 AI Memory Inflection The Memory Wall has been a named pain point on this index for months. The May 2026 inflection is the industry's answer in four cohesive movements — memory governance, KV-cache mechanics, the MCP orchestration layer, and durable agent runtimes. This post is the field report on the 40 new nodes added to the index over the past 48 hours: what each cluster covers, what they share, and why the answer surface had to land all at once.