system: OPERATIONAL
← back to all hacks
DEFENSE MEDIUM NEW

A certified defense for the RAG memory a poisoned agent never forgets

A June 2026 paper models multi-session memory poisoning — where one crafted memory quietly corrupts every future user — and offers the first defense with a provable robustness bound instead of a heuristic filter.

2026-07-02 // 6 min affects: rag-memory-agents, langgraph, autogen, memgpt

What is this?

A preprint posted to arXiv in June 2026 by independent researcher Tarun Sharma tackles a defense gap that most teams building persistent AI agents have not measured: when an agent keeps a memory store that survives across user sessions, an attacker who writes a few crafted entries can quietly redirect the agent’s behavior for every future user whose question happens to match. The paper names this the Multi-Session Memory Poisoning (MSMP) threat and proposes Signed Memory with Smoothed Retrieval (SMSR), which it presents as the first defense to come with a proven robustness bound rather than a best-effort filter.

The attack class itself is not new. It was demonstrated by the query-only MINJA memory injection work (March 2025) and by AgentPoison (2024). What is new is a defense with math behind it, published against a backdrop where these attacks report success rates well above 90%.

How it works

A retrieval-augmented (RAG) agent embeds each user question, pulls the most similar entries from its memory store, and pastes them into the prompt as context. In a persistent agent the store is append-only and the agent writes to it after most interactions. That is the trap: the write path that gives the agent useful long-term context is the same path an attacker uses to plant instructions. As the paper puts it, in an agent memory system the data is the instructions — a retrieved memory acts as an in-context example that shapes the next answer, so the usual “separate data from commands” advice does not apply.

An attacker does not need database access. The MINJA line of work showed the agent can be steered, through ordinary queries, into writing its own poisoned reasoning traces, which are then retrieved for later users. A single bad entry among tens of thousands can be enough. Multi-tenant deployments make it worse: one person’s interaction can taint the responses served to everyone.

SMSR answers with two layers. The first tags every legitimate memory at write time with an HMAC provenance signature, so any entry inserted through a misconfiguration or a stolen backup — anything unsigned — is simply ignored at retrieval. The second layer defends against an authenticated insider who can write signed entries: instead of always reading the top matches, the agent over-fetches and then randomly samples a subset several times, taking a verdict-based majority across the runs. Because the attacker cannot guarantee their entries land in every random sample, their influence is bounded — and the paper derives that bound formally rather than asserting it.

Write path:  memory --> [HMAC provenance tag] --> store
Query path:  over-fetch --> random ablation x N --> verdict majority --> answer
             (unsigned entries dropped; adversary influence bounded)

The authors also prove an impossibility result: no filter that works only at retrieval time, without provenance, can certify against an adaptive attacker. In other words, signing the memory is not optional dressing — it is the part that makes a guarantee possible. They further document a “consistent minority effect,” where a naive string-based majority vote gets gamed because the attacker’s identical answer looks more consistent than genuinely varied honest ones; switching to a verdict-based vote removes it.

Why it matters

Poisoned memory does not expire with the context window — it can sit in the store and re-fire across an unbounded number of future sessions. That is why OWASP lists vector and embedding weaknesses as LLM08 in its 2025 Top 10 for LLM applications. The paper’s measurements underline the stakes: plain heuristic filters (keyword blacklists, entropy and anomaly checks) were fully bypassed by fluent, enterprise-sounding text, and unsigned injection reached 93–100% success before any defense. With SMSR, unsigned injection dropped to 0%, an authenticated attacker’s success fell from that same 93–100% range to about 8% at production scale, and an end-to-end query-only attack fell from 65.3% to 5.3%, while clean-query usefulness stayed around 85% — a real but modest utility cost. Results held across model families.

As always with a single preprint, treat the specific numbers as the authors’ own not-yet-peer-reviewed findings, and validate in your own setup.

Defenses

The practical takeaways generalize beyond this one system.

  • Sign your memory at write time. Attach a provenance tag (an HMAC or equivalent) to every legitimately written entry and drop anything unsigned at retrieval. This is what closes the unauthenticated write path.
  • Don’t trust a heuristic filter alone. Keyword, entropy, and anomaly filters were fully evaded by natural-sounding text; use them only as defense in depth, never as the guarantee.
  • Add randomized retrieval for insider risk. Over-fetch and sample, then aggregate across runs, so no single writer can dominate every context.
  • Aggregate on verdicts, not strings. A raw majority vote over answer text can be gamed by a consistent attacker; compare the meaning of answers instead.
  • Treat memory as a security boundary. Log writes, scope memory per tenant where possible, and remember that in an agent, retrieved data behaves like instructions.

Status

ItemReferenceDate
SMSR certified defensearXiv:2606.127032026-06
Query-only memory injection (MINJA)arXiv:2503.037042025-03
Memory/knowledge-base poisoning (AgentPoison)arXiv:2407.127842024
Framework referenceOWASP LLM08 (Top 10 for LLM Apps 2025)2025

The takeaway: if your agent remembers, assume its memory can be poisoned — and prefer a defense that can prove how much damage a bounded attacker can still do over one that merely hopes to catch them.

Sources