Inferensys

Glossary

Cross-Session Poisoning

A persistent attack where adversarial content injected into an agent's long-term memory or conversation history influences its behavior across multiple, independent user sessions.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
PERSISTENT CONTEXT MANIPULATION

What is Cross-Session Poisoning?

A persistent attack where adversarial content injected into an agent's long-term memory or conversation history influences its behavior across multiple, independent user sessions.

Cross-Session Poisoning is a persistent attack vector where an adversary contaminates an agent's long-term memory store—such as a vector database, conversation log, or episodic buffer—with malicious content that persists beyond a single interaction. Unlike transient injection attacks that dissolve when the context window clears, this technique exploits the agent's stateful memory architecture to influence decision-making across multiple, independent user sessions, effectively turning the agent into a permanently compromised system.

The attack typically targets retrieval-augmented generation pipelines and conversational memory systems where stored interactions are re-ingested as grounding context. An attacker in one session plants a malicious premise or instruction, which is later retrieved and treated as authoritative by the agent when serving a different, unrelated user. Mitigation requires session-scoped memory partitioning, cryptographic integrity verification of stored context, and strict taint tracking to prevent cross-contamination between isolated user contexts.

PERSISTENT THREAT VECTORS

Key Characteristics of Cross-Session Poisoning

Cross-session poisoning is defined by its temporal persistence—the attack survives individual interactions to corrupt an agent's behavior across multiple, independent user sessions. Unlike single-turn injection, this threat exploits long-term memory stores to establish a durable adversarial foothold.

01

Long-Term Memory Contamination

The attacker injects malicious content into the agent's persistent memory store—such as a vector database, conversation log, or knowledge graph—rather than a transient context window. This payload is then recalled during future sessions, often weeks or months later, when a different user triggers a semantically related query. The attack exploits the agent's retrieval-augmented generation (RAG) pipeline to surface the poisoned memory as authoritative context.

  • Payloads survive session termination and server restarts
  • Exploits the trust boundary between short-term working memory and long-term storage
  • Often combined with metadata spoofing to boost retrieval ranking
Weeks-Months
Persistence Window
02

Cross-User Attack Amplification

A single poisoned memory entry can influence the behavior of every subsequent user whose session triggers retrieval of that entry. This creates an asymmetric attack surface: one injection point yields a multiplicative impact across the entire user base. In multi-tenant agent deployments, a poisoned document ingested for one organization can bleed into the reasoning of another if memory partitioning is insufficient.

  • One injection can compromise hundreds of independent user sessions
  • Exploits shared memory architectures in multi-tenant systems
  • Particularly dangerous in customer-facing agent deployments
1:N
Injection-to-Victim Ratio
03

Temporal Attack Chain Execution

Cross-session poisoning enables multi-stage attack chains that unfold over extended time periods. The attacker first plants a dormant payload in memory. In a later session, a second trigger—such as a specific user query or tool invocation—activates the payload. This temporal decoupling makes forensic attribution extremely difficult, as the injection event and the exploitation event are separated by days or weeks.

  • Stage 1: Payload injection into long-term memory
  • Stage 2: Dormant persistence across sessions
  • Stage 3: Trigger-based activation via retrieval
  • Stage 4: Exploitation in a new, unrelated user session
04

Memory Replay Poisoning

A specific variant where the attacker corrupts the agent's episodic memory buffer—the log of past interactions used for reflection and planning. By injecting falsified 'experiences' into this buffer, the attacker causes the agent to recall and act upon synthetic past events as if they were genuine. During reflection loops, the agent may cite these fabricated memories as justification for malicious actions.

  • Targets the agent's self-reflection and planning mechanisms
  • Fabricated experiences are indistinguishable from genuine interaction history
  • Exploits the agent's learned trust in its own memory store
05

Conversation History Poisoning

The attacker injects malicious dialogue turns directly into the multi-turn conversation log stored between sessions. When the agent reloads this history in a future session, it accepts the attacker-established premises, role-playing constraints, or false factual assertions as established context. This is particularly effective against agents that use conversation history for personalization and continuity.

  • Injected turns appear as legitimate prior interactions
  • Establishes false premises that persist across session boundaries
  • Can force the agent into a constrained role or persona for all future users
06

Vector Store Contamination

The attacker inserts malicious vector embeddings into the agent's vector database, exploiting the nearest-neighbor retrieval mechanism. Because vector search operates on semantic similarity rather than exact matching, a poisoned embedding can be surfaced for a wide range of benign queries that happen to be semantically adjacent. The attack corrupts the ANN index structure itself, altering graph navigation paths to favor adversarial content.

  • Exploits the fuzzy nature of semantic search
  • A single poisoned vector can contaminate multiple query neighborhoods
  • Often combined with HyDE attacks to skew hypothetical document embeddings
CROSS-SESSION POISONING

Frequently Asked Questions

Clear, technical answers to the most common questions about persistent adversarial manipulation of agent memory across independent user sessions.

Cross-session poisoning is a persistent adversarial attack where malicious content injected into an agent's long-term memory or conversation history influences its behavior across multiple, independent user sessions. Unlike single-session prompt injection, which resets when the context window clears, this attack embeds payloads into durable storage—such as vector databases, knowledge graphs, or episodic memory buffers—that persist across sessions. When a new user initiates a session, the agent retrieves the poisoned memory as trusted context, causing it to execute attacker-intended actions, disclose sensitive data, or adopt a manipulated persona. The attack exploits the agent's fundamental design assumption that stored memory is trustworthy, making it particularly dangerous in multi-tenant architectures where one user's session can contaminate another's experience.

ATTACK VECTOR COMPARISON

Cross-Session Poisoning vs. Related Attacks

Distinguishing persistent, multi-session memory corruption from single-session injection and retrieval-stage manipulation techniques.

FeatureCross-Session PoisoningIndirect Prompt InjectionRAG Poisoning

Persistence Scope

Persists across multiple independent user sessions

Limited to a single session or conversation turn

Persists in the knowledge base until the poisoned document is removed

Attack Vector

Long-term memory store, conversation history log, or episodic buffer

External data source retrieved during a single query

Vector database, document store, or knowledge graph index

Target Component

Agent's persistent memory system

Agent's immediate context window

Retrieval pipeline and grounding documents

Temporal Trigger

Activated when agent recalls corrupted memory across future sessions

Activated immediately upon retrieval and ingestion into context

Activated when a poisoned document is retrieved for any user query

User Isolation Bypass

Requires Memory Write Access

Detection Difficulty

High: corruption is latent and surfaces only in future interactions

Moderate: anomalous behavior is observable within the same session

Moderate: detectable via embedding drift and retrieval auditing

Remediation Complexity

High: requires memory rollback, integrity verification, and session isolation

Low: flush context window and re-retrieve from trusted sources

Moderate: re-index clean corpus and invalidate poisoned embeddings

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.