Skip to content

Add candidate entry: Persistent Memory Poisoning (LLM11)#26

Open
emmanuelgjr wants to merge 1 commit intoGenAI-Security-Project:mainfrom
emmanuelgjr:new-entry/persistent-memory-poisoning
Open

Add candidate entry: Persistent Memory Poisoning (LLM11)#26
emmanuelgjr wants to merge 1 commit intoGenAI-Security-Project:mainfrom
emmanuelgjr:new-entry/persistent-memory-poisoning

Conversation

@emmanuelgjr
Copy link
Copy Markdown
Collaborator

@emmanuelgjr emmanuelgjr commented May 4, 2026
edited
Loading

Summary

Adds a new-entry candidate proposing Persistent Memory Poisoning for the 2026 list, filed under 2026/new_entry_candidates/persistent-memory-poisoning.md per the Track A workflow in 2026/CONTRIBUTING.md.

The entry covers runtime corruption of an LLM application's long-term memory store — distinct from single-turn prompt injection (LLM01), training/fine-tuning corruption (LLM04), static-corpus retrieval weaknesses (LLM08), and system-prompt leakage (LLM07). It addresses both consolidated memory (ChatGPT/Gemini/Claude memory) and unconsolidated memory in agent frameworks (LangChain, LangGraph, AutoGen, MemGPT, Letta, CrewAI), plus shared and multi-tenant memory.

Conformance

  • File path follows Track A: 2026/new_entry_candidates/<slug>.md with no LLMXX prefix (numbering assigned at promotion).
  • Heading style matches 2026/_template.md and documentation/style/entries.md: ## Persistent Memory Poisoning, ### Description, ### Common Examples of Risk, ### Prevention and Mitigation Strategies, ### Example Attack Scenarios, ### Reference Links.
  • One additional level-3 section, ### Indicators of Compromise, mirrors the precedent of LLM01_PromptInjection.md carrying ### Related Frameworks and Taxonomies. Happy to fold it into another section if reviewers prefer.
  • Commit is SSH-signed and verified.

Sections included

  • Description
  • Common Examples of Risk (8)
  • Prevention and Mitigation Strategies (12)
  • Example Attack Scenarios (5: SpAIware, Gemini delayed-tool-invocation, MINJA, AI-browser CSRF, reflection laundering)
  • Indicators of Compromise (12)
  • Reference Links (14, including SpAIware, MINJA, EchoLeak/CVE-2025-32711, HackedGPT, LayerX/Atlas CSRF, LPCI, and 2026 survey work)

Rationale (why this is a separate entry)

  • Runtime, not training-time: occurs against live production systems with no model-weight access — outside LLM04's scope.
  • Cross-session persistence: payloads survive the originating session and continue to steer the model across conversations and devices — outside LLM01's single-turn scope.
  • Distinct mitigation stack: provenance-tagged memory writes, isolation of memory-write tools while processing untrusted context, trust-aware retrieval with temporal decay, out-of-band UI surfacing of memory mutations — none of which appear in current LLM01/04/07/08 mitigation guidance.
  • Empirically demonstrated at production scale: SpAIware (ChatGPT), Gemini delayed-tool-invocation, MINJA (~98% injection / ~70% end-to-end on GPT-4/4o agents), Atlas CSRF, EchoLeak/CVE-2025-32711, HackedGPT.

Test plan

  • Reviewers confirm conformance to 2026/_template.md and documentation/style/entries.md.
  • Reviewers verify no overlap that would justify folding into LLM01, LLM04, LLM07, or LLM08.
  • Reviewers check reference link correctness and citation format.
  • Reviewers confirm whether Indicators of Compromise should remain a top-level section or be folded.

@emmanuelgjr
Add candidate entry: Persistent Memory Poisoning
70b7cbb 
Adds a Track A new-entry candidate at 2026/new_entry_candidates/persistent-memory-poisoning.md
covering runtime corruption of an LLM application's long-term memory store.

Distinct from LLM01 (single-turn prompt injection), LLM04 (training-time corruption),
LLM07 (system-prompt leakage), and LLM08 (static-corpus retrieval weakness). Covers
both consolidated memory (ChatGPT/Gemini/Claude) and unconsolidated memory in agent
frameworks (LangChain, LangGraph, AutoGen, MemGPT, Letta, CrewAI), plus shared and
multi-tenant stores.

Sections: Description, Common Examples of Risk (8), Prevention and Mitigation
Strategies (12), Example Attack Scenarios (5: SpAIware, Gemini delayed-tool-invocation,
MINJA, AI-browser CSRF, reflection laundering), Indicators of Compromise (12),
Reference Links (14).
@emmanuelgjr emmanuelgjr force-pushed the new-entry/persistent-memory-poisoning branch from 45e2fed to 70b7cbb Compare May 4, 2026 02:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rossja rossja Awaiting requested review from rossja rossja is a code owner

@rocklambros rocklambros Awaiting requested review from rocklambros rocklambros is a code owner

@virtualsteve-star virtualsteve-star Awaiting requested review from virtualsteve-star virtualsteve-star is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emmanuelgjr