cs.CRcs.AI
Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents
Apr 3, 2026(revised Apr 7, 2026)
The paper introduces eTAMP, a novel attack that poisons LLM web agents' memory using only environmental observations, demonstrating cross-site and cross-session compromise without direct memory access.
Memory makes LLM-based web agents personalized, powerful, yet exploitable. By storing past interactions to personalize future tasks, agents inadvertently create a persistent attack surface that spans websites and sessions. While existing security research on memory assumes attackers can directly inject into memory storage or exploit shared memory across users, we present a more realistic threat model: contamination through environmental observation alone. We introduce Environment-injected Trajectory-based Agent Memory Poisoning (eTAMP), the first attack to achieve cross-session, cross-site compromise without requiring direct memory access. A single contaminated observation (e.g., viewing a manipulated product page) silently poisons an agent's memory and activates during future tasks on different websites, bypassing permission-based defenses. Our experiments on (Visual)WebArena reveal two key findings. First, eTAMP achieves substantial attack success rates: up to 32.5% on GPT-5-mini, 23.4% on GPT-5.2, and 19.5% on GPT-OSS-120B. Second, we discover Frustration Exploitation: agents under environmental stress become dramatically more susceptible, with ASR increasing up to 8 times when agents struggle with dropped clicks or garbled text. Notably, more capable models are not more secure. GPT-5.2 shows substantial vulnerability despite superior task performance. With the rise of AI browsers like OpenClaw, ChatGPT Atlas, and Perplexity Comet, our findings underscore the urgent need for defenses against environment-injected memory poisoning.
Memory poisoning and secure multi-agent systems
This paper analyzes memory poisoning attacks targeting multi-agent systems (MAS)…
ADAM: A Systematic Data Extraction Attack on Agent Memory via Adaptive Querying
The paper proposes ADAM, a novel and highly effective privacy attack that system…
Walma: Learning to See Memory Corruption in WebAssembly
Walma is a machine learning framework that uses memory snapshot classification t…
Infrastructure for Valuable, Tradable, and Verifiable Agent Memory
The paper proposes an infrastructure, clawgang and meowtrade, to transform priva…
Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution
The paper identifies that background 'heartbeat' execution in personal AI agents…
Finding Memory Leaks in C/C++ Programs via Neuro-Symbolic Augmented Static Analysis
MemHint is a neuro-symbolic static analysis pipeline that significantly improves…
No Attacker Needed: Unintentional Cross-User Contamination in Shared-State LLM Agents
This paper identifies and analyzes unintentional cross-user contamination (UCC),…
Opal: Private Memory for Personal AI
Opal is a private memory system for personal AI that maintains high retrieval ac…