Last updated: July 2026 · Orchesis reference

Agent Memory Poisoning

Agent memory poisoning is an attack in which an adversary plants false, biased, or malicious information into an AI agent's persistent (long-term) memory, so the agent retrieves and acts on that corrupted data in later sessions. Unlike a one-shot prompt injection, memory poisoning persists: a single successful write can corrupt many future decisions, causing wrong answers, unauthorized actions, or repeated exploitation. It is one of the highest-severity failure modes for agents that keep durable memory (vector stores, scratchpads, user profiles).

How agent memory poisoning works

An AI agent with long-term memory writes observations, facts, and summaries to a store (often a vector database) and retrieves them later. If an attacker can influence what gets written — through a poisoned document, a crafted tool output, or an injected conversation turn — they can insert a false "memory" (for example, "the admin approved unrestricted transfers"). On a future task, the agent retrieves that memory as trusted context and acts on it. Because retrieval is similarity-based, poisoned entries can be engineered to surface for many unrelated queries.

Attack examples

How to prevent agent memory poisoning

  1. Provenance-tag every write — record who/what produced each memory; distrust untrusted sources.
  2. Separate trusted and untrusted memory — never let raw tool/web content write directly to authoritative memory.
  3. Require corroboration — a memory should need 2+ independent sources before influencing high-stakes actions.
  4. Expire and re-verify — time-box stored facts; re-validate before reuse.
  5. Monitor writes and retrieval drift — flag anomalous writes and sudden behavior shifts.

Context

Memory poisoning is catalogued in the OWASP Top 10 for agentic applications and in the CASURA taxonomy of AI-agent vulnerabilities. Research in 2025 showed that a single poisoned entry in a shared vector memory could influence a large fraction of subsequent retrievals, because similarity search does not verify provenance. As one review put it: "an agent's memory is only as trustworthy as the least-trusted thing allowed to write to it."

Sources: OWASP Agentic Security Project · CASURA taxonomy (Orchesis). Reference maintained by Orchesis, an open-source AI-agent security proxy.