Memory Poisoning: The AI Attack That Strikes Weeks After Injection

When AI Agents Remember Malicious Instructions

A new class of AI vulnerability is rewriting the rules of cybersecurity. OWASP’s Top 10 for Agentic Applications 2026, developed with more than 100 industry experts, formally classified Memory and Context Poisoning as ASI06 — recognizing that corrupting an agent’s stored context, embeddings, and RAG stores can silently bias all future reasoning and actions.

The threat differs fundamentally from prompt injection. Traditional prompt injection is ephemeral: it manipulates the current session and disappears when the conversation closes. Memory poisoning is persistent. An attacker plants malicious instructions into an AI agent’s long-term memory, where they survive session restarts, software updates, and user rotations. The poisoned memory activates days or weeks later when an unrelated interaction triggers it — a “sleeper” exploit that makes forensic attribution nearly impossible because the injection and the damage are temporally decoupled.

Microsoft Exposes AI Recommendation Poisoning at Scale

In February 2026, Microsoft’s Defender Security Research Team revealed a technique they codenamed AI Recommendation Poisoning. During a 60-day review of AI-related URLs in email traffic alone, researchers identified more than 50 distinct examples of this attack in active operation, deployed by 31 real companies across 14 industries.

The technique exploits a simple mechanism: most major AI assistants support URL parameters that pre-populate prompts. Companies were embedding hidden instructions inside “Summarize with AI” buttons that, when clicked, injected persistence commands into the AI assistant’s memory via these URL parameters. Once poisoned, the assistant treated injected instructions as legitimate user preferences, steering future recommendations toward the attacker’s products and services across all subsequent conversations.

This is not theoretical research. These were real businesses weaponizing AI memory systems for commercial advantage — and most users had no idea their assistant had been compromised.

Research Proves 95% Injection Success Rates

Academic research has confirmed that memory poisoning attacks achieve alarming success rates in controlled environments. The MINJA attack (Memory Injection Attack), developed by researchers at multiple universities, demonstrated over 95% injection success rates against production-grade agents powered by GPT-4 and GPT-4o. The attack achieved over 70% attack success rates on most evaluation datasets.

What makes MINJA particularly dangerous is its accessibility: it requires no elevated privileges and operates through regular user interactions. Any user can corrupt an AI agent’s knowledge base, influencing how it processes future queries from all other users — turning multi-tenant AI systems into attack vectors.

Palo Alto Networks’ Unit 42 built a proof-of-concept demonstrating how indirect prompt injection through a compromised webpage planted malicious instructions into an agent’s long-term memory. Those instructions survived session restarts and were incorporated into the agent’s orchestration prompts in later conversations, silently exfiltrating conversation history without the user’s knowledge.

The most recent research, published in April 2026, introduced eTAMP (Environment-injected Trajectory-based Agent Memory Poisoning) — the first attack to achieve cross-session, cross-site compromise without requiring direct memory access. A single contaminated observation, such as viewing a manipulated product page, silently poisons an agent’s memory and activates during future tasks on entirely different websites. The study found that agents under environmental stress (dropped clicks, garbled text) become up to 8 times more susceptible. Critically, more capable models like GPT-5.2 showed substantial vulnerability despite superior task performance, demolishing the assumption that better models mean better security.

The 88% Reality Check

Industry data confirms the threat has moved from research labs to production environments. A Beam AI survey found that 88% of organizations using AI agents had experienced a confirmed or suspected security incident in the prior year. In healthcare, that number climbed to 92.7%.

Yet the confidence-reality gap remains wide. While 82% of executives believe their existing policies protect them from unauthorized agent actions, only 21% have actual visibility into what their agents can access, which tools they call, or what data they touch. According to the Gravitee State of AI Agent Security 2026 report, only 14.4% of AI agents went live with full security and IT approval.

This gap creates ideal conditions for memory poisoning. Agents deployed without security oversight accumulate memories from untrusted sources — web pages, emails, user inputs — with no provenance tracking to distinguish legitimate context from injected instructions.

Defending Against Attacks That Wait

The security community has begun building defenses, though the tooling remains early-stage. OWASP’s Agent Memory Guard project provides the reference implementation for ASI06 defense. It validates memory integrity using SHA-256 cryptographic baselines, detects injection attempts and sensitive data leakage, enforces declarative YAML security policies on memory read/write operations, and captures snapshots for forensic rollback of suspected poisoning events. The project targets LlamaIndex and CrewAI integrations with Redis and PostgreSQL backends by Q2 2026.

Beyond dedicated tools, security researchers recommend a layered defense strategy built on three pillars. First, provenance tracking attaches metadata to every memory entry — creation timestamp, source session, originating document, and a trust score at ingestion. This metadata enables trust-weighted retrieval, where highly relevant memories from low-trust sources are demoted below moderately relevant memories from verified sources.

Second, write-ahead validation uses a separate, smaller model to evaluate proposed memory updates before they are committed. The validator assesses whether a proposed entry looks like legitimate learned context or could influence future agent behavior in unintended ways — effectively creating a firewall between incoming data and persistent memory.

Third, behavioral monitoring tracks agent outputs over time to detect when an agent begins defending beliefs it should never have learned, or when its recommendations shift toward patterns consistent with memory manipulation.

Sources & Further Reading

• OWASP Top 10 for Agentic Applications 2026 — OWASP Foundation
• AI Recommendation Poisoning — Microsoft Security Blog
• MINJA: Memory Injection Attack on LLM Agents — arXiv
• Indirect Prompt Injection Poisons AI Long-Term Memory — Palo Alto Unit 42
• Poison Once, Exploit Forever: eTAMP Attacks on Web Agents — arXiv
• OWASP Agent Memory Guard Project — OWASP Foundation
• AI Agent Security in 2026: Enterprise Risks — Beam AI