ASI06: Why Memory Poisoning Was Promoted to a Standalone Threat
OWASP added Memory and Context Poisoning as ASI06 in its 2026 Agentic AI Top 10. As agents increasingly update their own conversation history, vector stores, and long-term memory, a once-corrupted state can distort the judgment of every subsequent session, so this persistent threat was separated into its own entry. The core point is that single-shot input validation is no longer sufficient defense.
The Temporal Split Between Write and Manifestation
Prompt injection manifests immediately within the request that carries the malicious input, so per-request filters block much of it. Memory poisoning, by contrast, separates the moment the tainted data is written from the moment it influences a decision. A record planted today may fire weeks or months later only under specific query conditions, and by then the originating input has already scrolled out of the logs, making after-the-fact tracing difficult.
MINJA: Indirect Injection That Evades Embedding Checks
The MINJA attack plants malicious reasoning records into agent memory through ordinary query interactions alone, without any administrative access. Because its surface text is statistically similar to normal dialogue, it evades embedding-similarity screening, with a reported average success rate of 76.8%. What is corrupted is the accumulated reasoning trajectory rather than the content itself, so string-blocking rules do not detect it.
A Full Guide: From Planning to Operations
In planning, separate the memory layers by trust tier: verified knowledge is read-only, while session-derived memory is tagged as a quarantine candidate. Fix your target metrics as numbers. For example, set a release bar of at least a 99% pass rate on memory-write validation, a p95 latency under 5 minutes to quarantine a suspected-poisoned record, and zero unclassified poisoned records in periodic re-validation.
Define recovery branches around three failure types. First, low-confidence writes are not applied immediately but placed in a quarantine queue that branches to retry or human review. Second, when output at manifestation time conflicts with policy, switch to safe truncation (a minimal response) and block the offending memory reference. Third, if the same record is re-quarantined beyond a threshold, add a stop condition that halts automatic rollback and forces human review.
The operational checklist starts with standard logs. For every memory write, record the source session ID, write timestamp, validation score, and the reference history at manifestation time under one schema, so the write-to-manifestation span can be stitched together after the fact. Apply PII masking to both logs and memory bodies, substituting emails, phone numbers, and identifiers before storage. A masking omission is treated as a release blocker.
Quality control is reinforced with a periodic re-validation batch. Re-scanning aged records on a schedule narrows the dormancy window of delayed-manifestation attacks, and the throughput and false-positive rate of each branch — quarantine, rollback, and human review — are aggregated weekly.
The continuous improvement loop starts from a manifestation case, traces back to its write moment, and feeds the missed validation rule into both the re-validation batch and the write filter. Legitimate records quarantined as false positives are restored, but their pattern is used only as grounds to relax validation criteria, not as a whitelist. When metrics fall below baseline, adjust toward a lower auto-apply ratio and a higher share of human review.
Executive Summary
Because memory poisoning is a persistent attack whose write and manifestation are separated in time, defend it with state management that links write validation, quarantine, re-validation, and rollback rather than per-request filters. Gate releases on numeric bars such as a 99% pass rate, a 5-minute p95 quarantine, and zero unclassified poisoned records, and branch on failure to retry, human review, safe truncation, or a stop condition.