Memory Poisoning

OWASP Top 10 for Agentic Applications 2026

The Agentic Top 10 (ASI01 through ASI10) is a separate practitioner-facing publication that maps onto the master Threats & Mitigations threat numbering. T1 is covered by the following Top 10 entries:

• ASI06 Memory & Context Poisoning primary

  An adversary writes malicious or misleading data into an agent's persistent memory or shared vector store, so that every future session, and every peer agent reading from the same store, operates on corrupted context. The defining difference from single-turn injection (ASI01) is that the poisoned data survives session reset; the agent's reasoning drifts without any new attacker input.

  OWASP LLM Top 10: LLM01:2025LLM04:2025LLM08:2025

Source: OWASP Top 10 for Agentic Applications 2026 (Dec 2025) · the Top 10 is a compass into the master Threats & Mitigations taxonomy, not a replacement for it.

Design principles at stake

When T1 is present, these security design principles are the ones being violated or tested. Each links to the full principle; the mitigations below are how you restore them.

• Defence-in-Depth Poisoned memory is invisible to the model itself. A non-deterministic reasoner cannot audit its own context for planted false facts. Depth requires independent deterministic layers on every path through which corruption enters: input validation before a write lands in short-term memory, content-hash integrity verified on every RAG read, per-namespace write tokens that separate tenants, and a separate behavioural watchdog that spots goal drift after a poisoning event. Because the model can never be both the gate and the thing it guards, at least one layer must sit entirely outside its inference path.
• Default / Implicit Deny Every write into the agent's memory (from tool output, from retrieved documents, from another agent's reply) must require an explicit allow. A shared vector store that any agent can write to, or a context window that accepts any tool response as authoritative, is a deny-by-default failure: the attacker's text arrives through an ordinary document retrieval and plants a false pricing rule or a rewritten notion of 'normal' because there is no allow-list gating what content earns the right to update persistent state.
• Continuous Verification A memory-poisoned agent does not return an error; it returns a plausible answer derived from tainted state, often for many sessions. Verification must therefore track behaviour continuously, not just credentials: a separate watchdog baselining the agent's normal tool-call pattern flags the moment tool sequences shift after a poisoned document enters the context, and provenance tags on every context fragment let the watchdog correlate drift with the ingestion of low-trust content rather than waiting for an anomalous final output.
• Microsegmentation Shared memory is the propagation channel: one poisoned entry in a vector store shared across agents spreads 'social contagion' to every agent that retrieves the same chunk. Isolating memory into per-user, per-tenant, and per-task namespaces enforces that a successfully poisoned Travel Booking agent cannot contaminate the Shared Memory surface used by customer-service agents serving different principals, containing blast radius to a single session boundary.
• Assume Breach Prompt injection, whether direct or indirect via an attacker-controlled document, succeeds against current defences at rates above 50%, so the design must hold after a successful poisoning, not only before it. That means preferring reversible memory writes with rollback capability, running a quarantined 'clean reader' LLM that holds no tools when processing untrusted documents, and keeping secrets out of the context window so a poisoned session has nothing valuable to replay into future decisions.
• Resilience & Recovery Memory poisoning failures are silent successes: the agent appears to operate normally while acting against tainted state for days or weeks, as MINJA demonstrated by achieving high injection rates through ordinary queries. Recovery therefore cannot wait for a detectable error event; it requires immutable, versioned memory so a snapshot from before the poisoning can be restored, and write-ahead logging so the precise moment a false 'fact' entered the store can be identified and all downstream decisions re-evaluated.
• Provenance & Trust-tagging The context window is a flat token stream with no hardware boundary between an authorised system instruction and an attacker-planted document fragment; without tagging, the model has no way to distinguish them. Classifying every piece of context at ingestion (tool output as TOOL-OUTPUT, a retrieved invoice as ENVIRONMENT) and refusing to treat ENVIRONMENT text as instructions removes the direct-injection and indirect-injection paths that make memory poisoning possible in the first place.
• Input/Output Validation Indirect prompt injection arrives through the same channel as legitimate tool results (an attacker-controlled document returned by a retrieval tool), so validation must treat every inbound string as potentially hostile before it touches the agent's memory or context. Outbound validation matters equally: if a poisoned memory entry drives a tool call whose parameters are never scanned, the planted content executes without a second chance at interception.
• The Lethal Trifecta T1 is the seeding mechanism for the trifecta's most dangerous combination: once private data is in the agent's memory and the agent can communicate externally, a single crafted document that poisons the memory store can direct future sessions to exfiltrate that data without any further attacker interaction. Breaking one leg, for example routing all external communications through a separate communicator agent that never has access to the memory store, prevents the poisoned memory from ever completing the chain.
• Memory & RAG Integrity Memory poisoning is precisely the attack that this principle is designed to contain: a write surface that persists across sessions and accumulates false authority with each retrieval. Content-hash integrity verified on every read detects tampering; provenance tags on every write expose which source introduced a fragment; a trust-aware retrieval layer quarantines low-provenance chunks rather than promoting them into the agent's working context; and TTL expiry limits how long an unverified entry can influence decisions before it must be re-confirmed.
• Least Common Mechanism A single shared vector store or shared memory namespace is the common mechanism that turns a local poisoning event into a fleet-wide vulnerability: RAG poisoning of one shared index propagates to every agent drawing from it, as the shared Refund-Policy memory scenario illustrates. Per-tenant, per-task memory namespaces ensure that a successfully poisoned context in one customer-service session cannot surface in any other agent's retrieval results, capping the damage to the blast radius of a single principal.

Recommended mitigations

Auto-generated from the mitigation catalog: every mitigation whose coverage map includes T1, sorted by maturity tier (Tier 1 production-canonical first, then Tier 2, then Tier 3 research-stage).

• Tier 2 Context isolation (Context isolation — separate untrusted content from system instructions)

  An LLM processes everything in its context window as a single stream of tokens; it has no innate ability to tell instructions apart from data. If an attacker can place content where the model treats it as instruction, they control the agent. Context isolation prevents that by structurally separating untrusted content from system instructions at prompt construction time, so the boundary is enforced before the model ever sees the input.

  why it helps Indirect prompt injection plants instruction-shaped content in a source the agent retrieves later (memory, a RAG document, or a tool result) so it executes when the agent reads it rather than when a user sends it. Structural isolation places every retrieved document in a labelled segment the system prompt marks as data only, so injection content in that segment cannot be interpreted as instruction.

• Tier 2 Input sanitisation (Input sanitisation — enforcing the data/instruction boundary before content reaches the model)

  An LLM cannot distinguish data from instructions on its own: that boundary has to be enforced at the point where external content enters the prompt. Input sanitisation does this by normalising, filtering, and structurally segmenting untrusted content before the model ever sees it, so retrieved documents, tool results, and user messages are treated as data rather than commands.

  why it helps Memory Poisoning works by writing attacker-controlled content into the agent's memory store, where it is later retrieved and treated as trusted context. Sanitising inbound content before it is written strips or neutralises injection payloads at the entry point, before they can persist into memory.

• Tier 2 MCP sanitisation (MCP response sanitisation — validate and normalise tool outputs before they re-enter the LLM context)

  An MCP server response is content the LLM will reason over next. The model cannot distinguish tool output from instruction: that boundary must be enforced at the client, before the payload enters the context window. MCP response sanitisation applies schema validation, Unicode normalisation, control-token stripping, and structural wrapping to every tool result at the response boundary, so adversarial content embedded in a server response cannot redirect the agent's planner.

  why it helps Indirect prompt injection plants adversarial instructions in external content the agent will retrieve or receive, relying on the model treating that content as authoritative. Sanitising at the MCP response boundary strips injection payloads and wraps the cleaned content as labelled data before it can reach the planner or be persisted to memory.

• Tier 2 Mem anomaly (Memory anomaly detection — runtime detection of poisoning that slipped past validation)

  An agent's memory store can receive adversarial content that passes schema and policy validation because the content is structurally valid but statistically unusual. Memory anomaly detection addresses this by monitoring write rates, embedding distances, provenance tags, and retrieval patterns at runtime, and quarantining writes whose statistical signatures diverge from the established baseline.

  why it helps Memory Poisoning is the injection of adversarial content into an agent's memory store so that it influences future retrievals and, through them, the agent's reasoning and output. This control detects poisoning attempts by monitoring for the statistical signatures they produce: abnormal write rates from a single source, embeddings that fall far outside the established cluster for a topic, provenance tags that do not match the actual ingestion path, and retrieval distributions that shift away from previously stable results.

• Tier 2 Mem validate (Memory content validation — a write-boundary gate on what enters the agent's memory store)

  An agent's memory store is a persistent surface: anything written to it can be retrieved by any agent, in any session, for the lifetime of the corpus. Memory poisoning exploits that persistence by writing adversarial content that steers the agent's reasoning long after the attacker has gone. Write-boundary validation prevents this by running every candidate memory write through schema, policy, and provenance checks before it is committed. Content that fails any gate is rejected and never reaches the store.

  why it helps Memory Poisoning is the injection of adversarial content into an agent's short- or long-term memory so that future retrievals steer the agent toward attacker-chosen outcomes. Write-boundary validation removes the attacker's ability to commit that content: a candidate write that fails schema, policy, or provenance validation is rejected before serialisation, so it cannot influence any subsequent retrieval.

• Tier 2 Model registry (Model registry — version pinning, canary, rollback)

  An agent loads whichever model weights are available at startup unless the runtime is told exactly which artifact to load. If a poisoned or regressed weight is published to the model store, the agent picks it up silently on the next restart. A model registry prevents that: every artifact is registered with a cryptographic checksum and an approval stage, the agent runtime loads by explicit version pin, and new versions must pass a canary evaluation before promotion to production.

  why it helps Prompt Injection includes model-poisoning as a subclass: a fine-tuned weight with embedded adversarial behaviour can reproduce injection effects without a prompt-level trigger. A poisoned weight cannot enter production without an explicit approval-stage transition, and canary comparison against the prior production version surfaces behavioural deviation before full rollout.

• Tier 2 PI defences+ (Advanced prompt-injection defences — spotlighting, delimiter gate, dual-LLM)

  Prompt injection succeeds when untrusted content entering an agent's prompt is indistinguishable from trusted instruction. Three layered techniques address that: spotlighting tags untrusted content with a machine-readable origin mark before it reaches the model; delimiter defence rejects input carrying reserved framework tokens before the model is called; and dual-LLM extraction routes attacker-influenceable content through a quarantined model that holds no tool access, so injected instructions cannot reach the model that can act on them.

  why it helps Memory poisoning via indirect prompt injection plants instructions in retrieved content so they steer the agent as if they were system directives. Spotlighting makes the provenance of every content span legible to the model, so poisoned RAG content cannot impersonate a trusted instruction. Dual-LLM extraction ensures the quarantined model that reads poisoned content cannot invoke any tool, so the injection cannot propagate to the execution path regardless of whether the model honours its spotlight rule.

• Tier 2 Provenance tracking (Output provenance tracking — record the source of every claim an agent makes)

  When an agent produces a claim derived from retrieved data, that claim needs a record of where it came from: the source document, version, and retrieval time. Without that record, a downstream verifier cannot distinguish a well-grounded output from a fabricated one, a tampered one, or a poisoned one. Provenance tracking attaches source attribution to every claim, carries it through each transformation in the pipeline, and surfaces it in audit logs and user-facing interfaces.

  why it helps Memory Poisoning introduces adversarial content into the agent's memory store; quarantining it after detection requires knowing which stored entries contributed to a given output. Per-claim provenance records the retrieval IDs that grounded each claim, giving incident response a starting point for identifying and removing poisoned entries.

• Tier 2 Session isolation (Session-scoped memory isolation — preventing cross-session context bleed)

  An agent that serves multiple users stores conversation history, retrieved facts, and intermediate state in a memory layer. If that layer is not scoped to the originating session, one user's writes can reach another user's retrieval path. Session-scoped memory isolation prevents that by enforcing a hard boundary at the storage layer, so each session can only read and write its own state.

  why it helps Memory Poisoning includes a cross-session and cross-tenant variant: a user who can write to a shared memory store may place content that another session later retrieves as its own context. Session isolation closes that path by ensuring that memory written in one session is structurally unreachable from any other, regardless of the content's nature.

• Tier 2 Vector ACL (Permission-aware vector retrieval — ACLs at the retrieval boundary)

  A vector store returns results by embedding-space proximity, not by who is asking. Without a per-principal filter applied before similarity ranking, a query from tenant A can surface tenant B's vectors if the embeddings are close enough. Vector ACL closes that gap: every retrieval call is scoped to the requesting principal's namespace or payload partition before the store ranks any results, so cross-principal hits are structurally impossible rather than merely unlikely.

  why it helps T1 Shared Memory Poisoning names the scenario where a vector written into one tenant's partition is later retrieved by a different tenant through embedding-space proximity. Per-principal namespace partitioning makes that retrieval structurally impossible: a query scoped to the requesting principal's namespace cannot return vectors written to a different namespace, regardless of similarity score.

• Tier 3 Memory-poison defence (Memory-poisoning defence — embedding-space anomaly detection and retrieval re-ranking)

  An agent that reads from a vector store assumes the stored content reflects what was legitimately written. An adversary who can write to that store can inject passages that divert the agent's retrieval toward attacker-controlled content. This control applies two defensive layers: anomaly detection on writes, which quarantines incoming embeddings that are statistical outliers relative to existing cluster centroids; and re-ranking on reads, which uses a cross-encoder or probe-gradient scorer to demote adversarial candidates after dense retrieval. Both layers are research-stage. No turnkey production implementation exists as of catalogue version; deploy additively on top of Tier 2 baseline controls.

  why it helps Memory Poisoning is the injection of adversarial content into an agent's persistent or shared memory store so that the agent retrieves and acts on attacker-controlled passages. Embedding-space anomaly detection intercepts statistically anomalous vectors before they are committed to the store; retrieval re-ranking demotes adversarial passages after dense retrieval is already deceived. Neither layer stops slow-drift poisoning that stays within statistical thresholds; both reduce severity for the pattern-injection scenario that peer-reviewed attack research documents.

Multi-agent variants: OWASP MAS Guide

The OWASP OWASP MAS Threat Modelling Guide v1.0 catalogues 5 named multi-agent variants of T1, anchored to specific MAESTRO layers. Each is a concrete attack pattern that emerges when this threat compounds across agents.

• L1 Collaborative Model Poisoning extends T1

  Malicious data injected during shared training corrupts every participating agent. Specific to multi-agent training.

• L2 Distributed Data Poisoning extends T1

  Subtle attacks on data sources shared across many agents, harder to detect because of the distributed nature.

• CL Emergent System-Wide Bias Amplification extends T1, T2

  Tiny biases in individual agents compound across collaborative learning into system-scale bias.

• CL Memory Poisoning (cross-agent) extends T1

  False historical interaction data injected into a conversational agent's memory.

• CL Learning Model Poisoning extends T1, T7

  Hybrid: poisoning starts as T1 but produces T7-style deceptive behaviour.

Source: OWASP MAS Threat Modelling Guide v1.0, §2 Overview of MAESTRO Framework — Extended Threat Scenarios + Cross-Layer table.

Catalogue extensions: Helmwart T18 to T49

This normalized catalogue includes 3 multi-agent entries based on the OWASP MAS Threat Modelling Guide v1.0 that extend T1. The source guide reuses some numbers between worked systems; these Helmwart entries provide stable detail pages, MAESTRO layers, and mitigation coverage.

• T27 Vector Database Poisoning with Malicious Smart Contract Data

  Injected data about malicious smart contracts makes them appear legitimate in the vector store, causing agents to engage with attacker-controlled contracts.

• T28 RAG Data Exfiltration

  Attacker gains unauthorised access to the vector database used by the RAG pipeline, exposing all indexed knowledge.

• T49 MAS source T17 Semantic Drift in Expense Policy Embeddings

  Policy updates are not reflected in vector store embeddings; the agent retrieves and applies stale policy via RAG.

Red-team pivot: MITRE ATLAS techniques

MITRE ATLAS catalogues adversary techniques against AI systems. Where this OWASP threat has an attacker-perspective counterpart, the ATLAS technique is shown below. That is what a red team would actually be doing on the wire. Use this for detection-signal anchoring, threat-hunting hypotheses, and IR runbooks. Source: mitre-atlas/atlas-data v5.6.0.

Related threats

• T5: Cascading Hallucination Attacks
• T12: Agent Communication Poisoning
• T27: Vector Database Poisoning with Malicious Smart Contract Data
• T28: RAG Data Exfiltration
• T49: Semantic Drift in Expense Policy Embeddings

Sources

• OWASP-Agentic-AI ↗ · 1.1 (Dec 2025) · Agentic Threats Taxonomy Navigator §Step 2; Threat Model T1
• MAESTRO ↗ · 1.0 (Apr 2025) · Layer 1 Foundation Model; Layer 2 Data Operations; Cross-Layer