Papers
Topics
Authors
Recent
Search
2000 character limit reached

No Attacker Needed: Unintentional Cross-User Contamination in Shared-State LLM Agents

Published 1 Apr 2026 in cs.CL, cs.AI, and cs.CR | (2604.01350v1)

Abstract: LLM-based agents increasingly operate across repeated sessions, maintaining task states to ensure continuity. In many deployments, a single agent serves multiple users within a team or organization, reusing a shared knowledge layer across user identities. This shared persistence expands the failure surface: information that is locally valid for one user can silently degrade another user's outcome when the agent reapplies it without regard for scope. We refer to this failure mode as unintentional cross-user contamination (UCC). Unlike adversarial memory poisoning, UCC requires no attacker; it arises from benign interactions whose scope-bound artifacts persist and are later misapplied. We formalize UCC through a controlled evaluation protocol, introduce a taxonomy of three contamination types, and evaluate the problem in two shared-state mechanisms. Under raw shared state, benign interactions alone produce contamination rates of 57--71%. A write-time sanitization is effective when shared state is conversational, but leaves substantial residual risk when shared state includes executable artifacts, with contamination often manifesting as silent wrong answers. These results indicate that shared-state agents need artifact-level defenses beyond text-level sanitization to prevent silent cross-user failures.

Summary

  • The paper demonstrates that benign user interactions in shared-state LLM agents trigger unintentional cross-user contamination, compromising output correctness.
  • Experiments show contamination rates between 57% and 71% and reveal that sanitized shared interaction (SSI) is only partially effective, especially in artifact-rich scenarios.
  • The study highlights the need for artifact-aware, provenance-based defenses to restrict the leakage of context-specific logic and enhance safety in collaborative AI systems.

Unintentional Cross-User Contamination in Shared-State LLM Agents

Introduction and Motivation

This paper investigates unintentional cross-user contamination (UCC) in shared-state LLM agents—failure modes where interaction artifacts originating in benign, context-specific user sessions are inadvertently reused in subsequent sessions with other users, leading to silent degradation in output correctness or task utility (2604.01350). The analysis reveals that shared-state persistence, a mechanism adopted for practical continuity and efficiency, expands the agents’ failure surface beyond traditional adversarial or attacker-driven scenarios. The study reviews two prominent architectures—explicit shared memory (EHRAgent) and persistent shared conversational context (MURMUR)—and establishes high rates of cross-user contamination even in the absence of adversarial behavior. Figure 1

Figure 1: Overview of the shared-state agent architecture, illustrating both shared memory banks and shared conversational context, and the injection point for Sanitized Shared Interaction (SSI).

Formalization and Taxonomy

UCC events are rigorously operationalized through controlled experiments contrasting victim task outcomes before and after shared state modifications introduced by benign source users. The source of contamination is not an attacker but a legitimate user interaction which introduces locally sensible conventions or workflow customizations. Three orthogonal contamination types are defined:

  • Semantic Contamination (SC): Mis-applied local interpretations (e.g., redefining “last year” to mean “past 12 months”).
  • Transformation Contamination (TC): Unintended propagation of localized aggregation, normalization, or formatting rules.
  • Procedural Contamination (PC): Unwarranted adoption of a user-specific workflow by other users.

The failure arises because the agent lacks scope-limiting mechanisms, reapplying context- or user-specific logic as global defaults.

Experimental Results and Analysis

The experimental section presents exhaustive evaluation across two representative environments: EHRAgent (via MIMIC-III and eICU datasets) and MURMUR (in a collaborative Slack workspace setting). Key findings include:

  • Prevalence: UCC rates under raw, unsanitized state range from 57% to 71% across all datasets and tasks, despite the absence of any adversarial crafting. High contamination rates are demonstrated for all effect types and both architectural settings.
  • Risk Profiles and Mechanism Sensitivity: In memory-oriented agents, SC and TC dominate due to structured retrieval of question/solution artifacts; PC is less prevalent due to diffuse procedural logic. In context-oriented agents, SC and PC are most prominent due to absorption of dialogue norms, while TC is less impactful in pure conversational settings. Figure 2

    Figure 2: Contamination rates before and after SSI intervention, broken down by contamination type and environment.

  • Mitigation—Sanitized Shared Interaction (SSI): Write-time sanitization (SSI) yields modality-dependent effectiveness. When state is conversational and textual (e.g., Slack/MURMUR), SSI reduces contamination rates from 57% to 6%. When executable artifacts (e.g., code solutions in EHRAgent) are present, overall contamination remains significant post-sanitization (e.g., MIMIC-III: 60% to 41%, eICU: 71% to 33%). This demonstrates text-level filtering is insufficient in code or artifact-heavy environments, where contamination often persists in unedited solution code.
  • Failure Modes: Analysis of result types shows that in less complex schemas (eICU), UCC predominantly causes silent wrong answers; in more complex ones (MIMIC-III), both “no-answer” and “wrong-answer” failures are observed, the former due to increased schema complexity leading to more code execution failures. Figure 3

    Figure 3: Failure mode decomposition for EHRAgent, contrasting silent wrong answers and detectable no-answer failures in two clinical datasets.

Discussion: Implications and Future Directions

These findings emphasize the critical vulnerability in current shared-state architectures, where benign user decisions are globally adopted due to lack of scope attribution or provenance. The paper’s results make it clear that:

  • Artifact-level Defenses Are Needed: Textual sanitization is not robust for executable or procedural artifacts. Future approaches must incorporate provenance-aware retrieval, context-bound tagging, and potentially re-validation or regeneration of solutions at retrieval time rather than direct reuse.
  • Safe Sharing Requires Scope Reasoning: There is a necessity for systems that reason about the intended scope and context of persisted knowledge—support for explicit scope demarcation and cross-user validation.
  • Error Auditing for Safety-Critical Domains: The predominance of silent, undetectable failures (e.g., in clinical query answer generation) suggests that naive shared-state reuse poses substantial risk in safety-critical deployments.
  • Research Directions: The paper notes several avenues: artifact-level sanitization, per-artifact provenance and annotation, automated detection of scope-bound conventions, and new architectures for context segmentation and retrieval gating. There is scope for dynamic solution regeneration policies that privilege traceability and cross-user safety over computation reuse.

Conclusion

This study provides a formal and empirical foundation for UCC as a distinct, high-impact robustness challenge in shared-state LLM agents, conclusively showing that cross-user contamination arises organically from ordinary, context-specific user interactions—not only from adversarial manipulation. While write-time sanitization (SSI) is effective for conversational context, it is inadequate where shared knowledge includes procedural or executable artifacts. Preventing silent, high-probability cross-user failures necessitates the development of artifact-aware and context-provenance mechanisms, raising both practical and theoretical challenges for robust collaborative AI systems.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We found no open problems mentioned in this paper.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.