- The paper demonstrates that benign user interactions in shared-state LLM agents trigger unintentional cross-user contamination, compromising output correctness.
- Experiments show contamination rates between 57% and 71% and reveal that sanitized shared interaction (SSI) is only partially effective, especially in artifact-rich scenarios.
- The study highlights the need for artifact-aware, provenance-based defenses to restrict the leakage of context-specific logic and enhance safety in collaborative AI systems.
Unintentional Cross-User Contamination in Shared-State LLM Agents
Introduction and Motivation
This paper investigates unintentional cross-user contamination (UCC) in shared-state LLM agents—failure modes where interaction artifacts originating in benign, context-specific user sessions are inadvertently reused in subsequent sessions with other users, leading to silent degradation in output correctness or task utility (2604.01350). The analysis reveals that shared-state persistence, a mechanism adopted for practical continuity and efficiency, expands the agents’ failure surface beyond traditional adversarial or attacker-driven scenarios. The study reviews two prominent architectures—explicit shared memory (EHRAgent) and persistent shared conversational context (MURMUR)—and establishes high rates of cross-user contamination even in the absence of adversarial behavior.
Figure 1: Overview of the shared-state agent architecture, illustrating both shared memory banks and shared conversational context, and the injection point for Sanitized Shared Interaction (SSI).
UCC events are rigorously operationalized through controlled experiments contrasting victim task outcomes before and after shared state modifications introduced by benign source users. The source of contamination is not an attacker but a legitimate user interaction which introduces locally sensible conventions or workflow customizations. Three orthogonal contamination types are defined:
- Semantic Contamination (SC): Mis-applied local interpretations (e.g., redefining “last year” to mean “past 12 months”).
- Transformation Contamination (TC): Unintended propagation of localized aggregation, normalization, or formatting rules.
- Procedural Contamination (PC): Unwarranted adoption of a user-specific workflow by other users.
The failure arises because the agent lacks scope-limiting mechanisms, reapplying context- or user-specific logic as global defaults.
Experimental Results and Analysis
The experimental section presents exhaustive evaluation across two representative environments: EHRAgent (via MIMIC-III and eICU datasets) and MURMUR (in a collaborative Slack workspace setting). Key findings include:
- Prevalence: UCC rates under raw, unsanitized state range from 57% to 71% across all datasets and tasks, despite the absence of any adversarial crafting. High contamination rates are demonstrated for all effect types and both architectural settings.
- Risk Profiles and Mechanism Sensitivity: In memory-oriented agents, SC and TC dominate due to structured retrieval of question/solution artifacts; PC is less prevalent due to diffuse procedural logic. In context-oriented agents, SC and PC are most prominent due to absorption of dialogue norms, while TC is less impactful in pure conversational settings.
Figure 2: Contamination rates before and after SSI intervention, broken down by contamination type and environment.
- Mitigation—Sanitized Shared Interaction (SSI): Write-time sanitization (SSI) yields modality-dependent effectiveness. When state is conversational and textual (e.g., Slack/MURMUR), SSI reduces contamination rates from 57% to 6%. When executable artifacts (e.g., code solutions in EHRAgent) are present, overall contamination remains significant post-sanitization (e.g., MIMIC-III: 60% to 41%, eICU: 71% to 33%). This demonstrates text-level filtering is insufficient in code or artifact-heavy environments, where contamination often persists in unedited solution code.
- Failure Modes: Analysis of result types shows that in less complex schemas (eICU), UCC predominantly causes silent wrong answers; in more complex ones (MIMIC-III), both “no-answer” and “wrong-answer” failures are observed, the former due to increased schema complexity leading to more code execution failures.
Figure 3: Failure mode decomposition for EHRAgent, contrasting silent wrong answers and detectable no-answer failures in two clinical datasets.
Discussion: Implications and Future Directions
These findings emphasize the critical vulnerability in current shared-state architectures, where benign user decisions are globally adopted due to lack of scope attribution or provenance. The paper’s results make it clear that:
- Artifact-level Defenses Are Needed: Textual sanitization is not robust for executable or procedural artifacts. Future approaches must incorporate provenance-aware retrieval, context-bound tagging, and potentially re-validation or regeneration of solutions at retrieval time rather than direct reuse.
- Safe Sharing Requires Scope Reasoning: There is a necessity for systems that reason about the intended scope and context of persisted knowledge—support for explicit scope demarcation and cross-user validation.
- Error Auditing for Safety-Critical Domains: The predominance of silent, undetectable failures (e.g., in clinical query answer generation) suggests that naive shared-state reuse poses substantial risk in safety-critical deployments.
- Research Directions: The paper notes several avenues: artifact-level sanitization, per-artifact provenance and annotation, automated detection of scope-bound conventions, and new architectures for context segmentation and retrieval gating. There is scope for dynamic solution regeneration policies that privilege traceability and cross-user safety over computation reuse.
Conclusion
This study provides a formal and empirical foundation for UCC as a distinct, high-impact robustness challenge in shared-state LLM agents, conclusively showing that cross-user contamination arises organically from ordinary, context-specific user interactions—not only from adversarial manipulation. While write-time sanitization (SSI) is effective for conversational context, it is inadequate where shared knowledge includes procedural or executable artifacts. Preventing silent, high-probability cross-user failures necessitates the development of artifact-aware and context-provenance mechanisms, raising both practical and theoretical challenges for robust collaborative AI systems.