OWASP ASI06: Memory and Context Poisonin

Agentic systems rely on persistent state to keep continuity across tasks. That state becomes a high-value attacker target. ASI06 builds on LLM01:2025, LLM04:2025 Data and Model Poisoning, and LLM08:2025 Vector and Embedding Weaknesses by focusing on persistent corruption that propagates across sessions, agents, and tenants.

Common ASI06 patterns include:

• RAG and embedding poisoning: Malicious or seeded entries enter the vector store via untrusted pipelines.
• Shared context poisoning: Reused or shared session context spreads injection across users.
• Context-window manipulation: Crafted content gets summarized into memory and contaminates future decisions.
• Long-term memory drift: Repeated small taints shift the agent's stored knowledge over time.
• Cross-agent propagation: Contaminated memory spreads between cooperating agents and compounds harm.

Travel-booking memory poisoning, cross-tenant vector bleed, and persistent Gemini memory hacks all map to ASI06. Effective defense combines content validation on writes, memory segmentation by user and tenant, provenance scoring, decay of unverified entries, and human review for high-risk recalls.

How PointGuard AI Helps

PointGuard's MCP Security Gateway and Intelligent Guardrails inspect every memory write for injection and sensitive content, while the Agent Governance Mesh segments memory per session and tenant, preventing cross-agent contamination and shared-context poisoning.

Learn More

 OWASP Top 10 for Agentic Applications

 Zou et al., PoisonedRAG arXiv:2402.07867

NIST AI 100-2 Adversarial ML Taxonomy