Agent memory poisoning is an attack in which an adversary plants false, biased, or malicious information into an AI agent's persistent (long-term) memory, so the agent retrieves and acts on that corrupted data in later sessions. Unlike a one-shot prompt injection, memory poisoning persists: a single successful write can corrupt many future decisions, causing wrong answers, unauthorized actions, or repeated exploitation. It is one of the highest-severity failure modes for agents that keep durable memory (vector stores, scratchpads, user profiles).
An AI agent with long-term memory writes observations, facts, and summaries to a store (often a vector database) and retrieves them later. If an attacker can influence what gets written — through a poisoned document, a crafted tool output, or an injected conversation turn — they can insert a false "memory" (for example, "the admin approved unrestricted transfers"). On a future task, the agent retrieves that memory as trusted context and acts on it. Because retrieval is similarity-based, poisoned entries can be engineered to surface for many unrelated queries.
Memory poisoning is catalogued in the OWASP Top 10 for agentic applications and in the CASURA taxonomy of AI-agent vulnerabilities. Research in 2025 showed that a single poisoned entry in a shared vector memory could influence a large fraction of subsequent retrievals, because similarity search does not verify provenance. As one review put it: "an agent's memory is only as trustworthy as the least-trusted thing allowed to write to it."