{"slug":"agent-memory-poisoning","title":"Can you trust what your agent remembers?","question":"Can you trust what your agent remembers?","summary":"Persistent agent memory is a write-once, replay-many attack surface — 2026 benchmarks show attackers can forge an agent's own reasoning history or plant poisoned facts through routine content like email, both with high success rates against real agent stacks, and current keyword- or consensus-based defenses do not stop it.","status":"active","cluster":"memory","cluster_label":"Memory and context","updated":"2026-07-08","audience":"strong-software-engineer","math_depth":"","sections":[{"heading":"Builder consequence","html":"<p>If your agent has persistent memory — it writes facts, decisions, or reasoning traces to a store it reads back in a later session — that memory is no longer just something the agent reads. It is something an attacker, or the agent&#x27;s own drift, can write to. Untrusted content the agent processes today (an email, a tool result, a retrieved document) can plant an entry that survives into every future session and gets treated as trusted state from then on, with no further scrutiny.</p>"},{"heading":"Short answer","html":"<p>No, not by default. Two independent 2026 papers show current agent memory pipelines are exploitable in different ways: one attack forges the agent&#x27;s own past reasoning and reaches up to 100% success under baseline conditions; another silently injects poisoned facts or preferences through routine external content and reaches 87.5% end-to-end success against a real coding-agent stack, transferring across architectures and memory backends. A third benchmark shows agents also over-trust their own stored memories over fresh, correct evidence — sycophancy, a failure mode that needs no attacker at all. Only a purpose-built defense layer closes the gap; the defenses these papers test by default (keyword filters, consensus/majority checks) do not.</p>"},{"heading":"Builder model","html":"<p>Split memory-trust failures into two attacker-controlled classes plus one non-adversarial class:</p>\n<ul><li><strong>Fact or preference poisoning.</strong> Untrusted external content the agent ingests (an email, a document, a tool response) gets written into persistent memory and reused as ground truth in later sessions — the attacker never touches the agent directly, only what it reads.</li><li><strong>Reasoning poisoning.</strong> The attacker forges the *record of why* the agent decided something in the past, so a later self-consistency or majority-vote check treats the forged trace as corroborating evidence instead of catching it as an outlier.</li><li><strong>Sycophancy (no attacker).</strong> The agent simply weights a stored memory over better, more current evidence when the two conflict, because retrieval surfaced the memory and nothing forces the agent to re-verify it.</li></ul>\n<p>All three share the same root cause: once something is written to memory, most pipelines read it back as trusted without asking how it got there or whether it still holds.</p>"},{"heading":"Mechanism","html":"<p>FARMA (Forged Amplifying Rationale Memory Attack) targets reasoning poisoning specifically. It writes a forged reasoning entry using evasive phrasing designed to slip past keyword-based memory filters, then uses self-referential reinforcement — the forged entry cites or echoes itself across turns — to defeat defenses that rely on consensus among multiple memory entries. Because the forgery reads as internally consistent, majority-vote checks see corroboration instead of an anomaly. The paper&#x27;s own defense, SENTINEL, doesn&#x27;t rely on keywords or consensus; its Reasoning Guard component structurally analyzes a candidate memory entry against five weighted forgery signals before it is trusted.</p>\n<p>MemGhost/WhisperBench targets fact and preference poisoning through the agent&#x27;s normal ingestion path rather than a jailbreak-style prompt. MemGhost is a one-shot payload-generation framework (environment-proxy emulation plus reinforcement learning) that crafts content — for example, an email — designed to be processed by the agent, written into persistent memory without the user noticing, and only exploited in a later, unrelated session. WhisperBench evaluates this end to end across five risk categories and both fact- and preference-style poisoning, and the resulting payloads transfer across agent architectures and memory backends (filesystem-based and Mem0), and keep working against input-level, model-level, and system-level defenses the authors tested.</p>\n<p>Both attacks depend on the same structural gap: a write path into long-term memory that treats agent-generated or externally-sourced content as safe to store, and a read path that treats anything already in memory as more trustworthy than it should be. This is the mirror image of the compaction failure mode in <a href=\"/foundations/context-compaction-safety\">does compacting an agent&#x27;s context put its safety rules at risk?</a> — there, a legitimate constraint gets silently dropped; here, an illegitimate one gets silently added and kept.</p>"},{"heading":"Evidence","html":"<ul><li>Benchmark/result-backed: FARMA poisons an agent&#x27;s own reasoning history using evasive language and self-referential reinforcement, reaching up to 100% attack success across 50 trials under baseline conditions; the SENTINEL defense (a five-signal Reasoning Guard) cuts that to as low as 0% with no false positives across 326 benign traces.</li><li>Benchmark/result-backed: MemGhost/WhisperBench delivers fact and preference poisoning through routine external content, reaching 87.5% end-to-end success against OpenClaw with GPT-5.4 and 71.4% against the Claude Code SDK with Sonnet 4.6, transferring across agent architectures and memory backends and surviving input-, model-, and system-level defenses tested.</li><li>Benchmark/result-backed: MemSyco-Bench evaluates memory-induced sycophancy across five tasks — rejecting insufficient memory as evidence, respecting its scope, resolving memory-vs-evidence conflicts, tracking updates, and using valid memory for personalization — as a failure mode distinct from injection.</li><li>Editorial inference: treat persistent memory with the same threat model as prompt injection, because both a forged reasoning trace and a poisoned fact are just content an agent trusted without checking its provenance.</li></ul>"},{"heading":"How to apply","html":"<ul><li><strong>Treat every memory write path as untrusted input.</strong> Anything that lands in persistent memory — a tool output, a retrieved document, an email the agent parsed, or the agent&#x27;s own reasoning summary — needs the same scrutiny as a prompt-injection surface before it&#x27;s trusted in a future session.</li><li><strong>Don&#x27;t rely on keyword filters or consensus checks alone.</strong> Both are the specific defenses FARMA is built to defeat (evasive language beats keywords, self-referential reinforcement beats consensus). If you need a reasoning-forgery defense, structurally score candidate entries the way SENTINEL&#x27;s Reasoning Guard does, rather than trusting surface-level agreement between memory entries.</li><li><strong>Run an adversarial replay test on your actual ingestion path.</strong> WhisperBench shows even a Claude Code SDK-based stack was exploitable (71.4%), so don&#x27;t assume vendor agent tooling protects memory writes by default — feed your agent&#x27;s real email/tool/document ingestion attacker-controlled content and check whether it lands unnoticed in the persistent store.</li><li><strong>Test for sycophancy separately from injection.</strong> Give the agent a stored memory that conflicts with correct, fresh evidence and check whether it defers to the memory. This failure needs no attacker, so it won&#x27;t show up in an adversarial-only test suite.</li></ul>"},{"heading":"Failure modes","html":"<ul><li>Trusting a memory entry just because the agent itself wrote it in a prior session, instead of checking how that entry got there.</li><li>Defending memory writes with keyword filters or consensus/majority checks only — the exact two defense classes FARMA is designed to defeat.</li><li>Assuming defenses built for single-turn prompt injection carry over to memory poisoning, when memory is a different code path: write once, replay in every future session.</li><li>Never adversarially testing the agent&#x27;s real ingestion pipeline (email, tool output, document parsing) for whether attacker content can silently reach persistent storage.</li><li>Treating sycophancy as out of scope because it isn&#x27;t an &quot;attack&quot; — it degrades decisions the same way poisoned memory does, just without an adversary.</li></ul>"},{"heading":"Related","html":"<p>See <a href=\"/topic/agent-memory\">agent memory</a> for the broader tiered-memory architecture debate, <a href=\"/topic/prompt-injection\">prompt injection</a> for the adjacent single-turn threat model, and <a href=\"/foundations/context-compaction-safety\">does compacting an agent&#x27;s context put its safety rules at risk?</a> for the mirror-image failure where a legitimate constraint is silently lost instead of an illegitimate one silently kept.</p>"}],"evidence":[{"id":"farma-sentinel-2026-reasoning-memory-attack","kind":"benchmark-result","tier":"benchmark/result-backed","title":"Your Agent's Memories Are Not Its Own: Forged Reasoning Attacks on LLM Agent Memory and Defenses","note":"Introduces FARMA (Forged Amplifying Rationale Memory Attack), which poisons an agent's remembered reasoning traces rather than its facts: it inserts forged reasoning using evasive language that bypasses keyword-based defenses, then amplifies it through self-referential reinforcement that defeats consensus-based defenses. Attack success reaches up to 100% under baseline conditions across 50 trials. The paper's SENTINEL defense (a Reasoning Guard that scores five weighted forgery signals) reduces attack success to as low as 0%, with no false positives across 326 benign agent traces.","url":"http://arxiv.org/abs/2607.05029v1"},{"id":"memghost-whisperbench-2026-stealth-memory-injection","kind":"benchmark-result","tier":"benchmark/result-backed","title":"When Claws Remember but Do Not Tell: Stealthy Memory Injection in Persistent Personal Agents","note":"Introduces MemGhost, a one-shot payload-generation framework, and WhisperBench, a 108-case benchmark spanning five risk categories covering both fact and preference poisoning delivered through untrusted external content (such as email) that gets silently written into persistent memory and later reused as trusted state. End-to-end attack success reaches 87.5% against OpenClaw with GPT-5.4 and 71.4% against the Claude Code SDK with Sonnet 4.6 across held-out test cases, and the attack transfers across agent architectures (NanoClaw, Hermes Agent) and memory backends (filesystem, Mem0), remaining effective against the input-level, model-level, and system-level defenses tested.","url":"http://arxiv.org/abs/2607.05189v1"},{"id":"memsyco-bench-2026-memory-sycophancy","kind":"benchmark-result","tier":"benchmark/result-backed","title":"MemSyco-Bench: Benchmarking Sycophancy in Agent Memory","note":"Points out that most memory benchmarks only check whether memories are stored, retrieved, or updated correctly, and proposes five tasks that instead test whether an agent can reject a memory as insufficient evidence, respect its applicable scope, resolve a conflict between memory and objective evidence, track memory updates, and use valid memory for personalization — surfacing sycophancy (an agent over-trusting a stored memory over fresh, correct evidence) as a distinct, non-adversarial memory failure mode.","url":"http://arxiv.org/abs/2607.01071v1"},{"id":"agent-memory-poisoning-editorial-synthesis","kind":"editorial-inference","tier":"editorial inference","title":"LLM Digest synthesis","note":"Persistent agent memory deserves the same threat model as prompt injection: anything written into long-term memory from an untrusted source, or generated by the agent itself, can later be replayed as trusted context, and a reasoning trace is exactly as forgeable as a fact."}],"related_topics":[{"slug":"agent-memory","title":"Agents forget across steps and sessions"},{"slug":"prompt-injection","title":"Untrusted input and tools can hijack an agent"}],"related_playbook_cards":[],"related_storylines":[],"covers_evidence":["farma-sentinel-2026-reasoning-memory-attack","memghost-whisperbench-2026-stealth-memory-injection","memsyco-bench-2026-memory-sycophancy","agent-memory-poisoning-editorial-synthesis"]}