Your AI agent's memory isn't just forgetting things. It might be remembering the wrong things on purpose.
Memory and Context Poisoning landed at ASI06 in the OWASP Top 10 for Agentic Applications 2026, and it's not hard to see why. This is the "sleeper cell" attack: bad actors corrupt your agent's knowledge base, and your agent treats that corruption as truth. Unlike prompt injection that lasts one turn, poisoned memories persist forever.
Memory Is Now an Attack Surface
Prompt injection gets all the attention. Someone tricks your agent into ignoring instructions for a single interaction. Annoying, but contained.
Memory poisoning is different. The attacker corrupts your agent's persistent context: its vector database, knowledge graph, or long-term memory store. Your agent trusts its own memory implicitly. Once poisoned data gets in, it becomes operational truth.
The agent doesn't know it's been compromised. It just "remembers" things that aren't true.
Three Attack Vectors
Researchers have identified three primary paths for memory poisoning:
Indirect injection. Malicious instructions hidden in documents your agent processes. The agent reads a PDF, extracts "helpful" information, and stores attacker-controlled content in its memory.
Direct data corruption. Attackers gain access to your vector DB or knowledge graph and modify entries directly. No fancy prompt engineering required, just database access.
Contextual steering. The subtlest approach. Attackers gradually introduce false premises over multi-turn conversations. These become part of the agent's operational context, shifting its worldview over time.
Tool Use Amplifies the Damage
Here's where it gets dangerous. Modern agents don't just answer questions. They take actions. They call APIs, transfer funds, modify files, and execute code.
A poisoned memory can steer your agent to misuse every tool it has access to. "Remember" that payments should go to a specific account? The agent will helpfully transfer funds there. "Remember" that certain API endpoints are trusted? The agent will call them without verification.
The poisoned context acts as a persistent instruction set that the agent follows without question.
Self-Reinforcing Loops Make Recovery Harder
Autonomous agents write observations back to their own memory. This creates a feedback loop:
- Poisoned belief informs an action
- The action generates logs and observations
- Those observations become new memories
- New memories reinforce the poisoned belief
The corruption compounds over time. By the time you notice something's wrong, the contamination has spread through your agent's entire context.
Defense Strategy: Backup and Restore
Traditional security focuses on prevention. But memory poisoning can happen through legitimate-looking interactions. You need a recovery strategy.
Clean snapshots let you roll back to a known-good state before poisoning occurred. If you suspect your agent's context has been compromised, restore to a checkpoint from before the suspected attack window.
This is incident response for AI memory: detect, contain, and recover.
SaveState provides encrypted, versioned backups of your agent's context. Every snapshot is immutable and timestamped. When something goes wrong, you have an "undo" capability for attacks that would otherwise be permanent.
Get Started
Memory poisoning is real, it's in the OWASP Top 10, and your agents are vulnerable. Don't wait until you're trying to figure out why your AI is behaving strangely.
npm install -g @savestate/cli
savestate init
savestate backup --encryptYour AI's memory is worth protecting. Start backing it up today.
Ready to protect your AI's memory?
Memory poisoning attacks are permanent without backup. SaveState gives you the "undo" button.
Get Started with SaveStateQuestions? Comments? Find us on X @SaveStateDev or open an issue on GitHub.