- The paper introduces CARC, a novel attack paradigm that exploits relation-channel conflicts to poison graph-based agent memory.
- It presents the AIR pipelineāAnchor, Inscribe, Renderāto precisely inject conflicting relations, enhancing the attackās success rate.
- Empirical results show a 93.8% attack success rate with preserved benign query accuracy (~97.3%), highlighting the attack's efficiency.
ShadowMerge: Poisoning Attacks on Graph-Based Agent Memory via Relation-Channel Conflicts
Introduction
The increasing adoption of graph-based agent memory in LLM-powered agents has brought substantial improvements in multi-hop reasoning and structured long-term recall. These advancements enable agents to persistently capture entities, relations, and user or tool interactions across sessions. Despite their utility, such memory systems introduce an underexplored attack surface, particularly for adversaries limited to ordinary interaction channels. The paper "ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts" (2605.09033) provides a comprehensive threat model and a practical attack pipeline demonstrating that the fundamental operations of graph-based agent memoryāentity extraction, relation canonicalization, and anchor-based retrievalāare exploitable for highly effective poisoning attacks through the introduction of channel-aligned conflicting relations.
The core technical insight of ShadowMerge is the concept of Channel-Aligned Relational Competition (CARC). Here, a poisoned relation, injected by an adversary through standard user interaction, is engineered to share both the anchor entity and the relation channel with benign graph evidence, but to carry a conflicting value. This is distinct from poisoning attacks in flat or textual memory settings, where the retrieval mechanism is largely surface-form-dependent and lacks such graph-specific vulnerabilities.
To optimize for this attack vector, the authors propose the Anchor, Inscribe, Render (AIR) pipeline:
- Anchor: Selects entities within the graph whose neighborhood is likely to be activated by future victim queries, leveraging attacker-side proxy estimation of anchor reachability.
- Inscribe: Constructs a channel-aligned, conflicting relation using public extraction and KGE proxies, ensuring alignment under platform-specific canonicalization.
- Render: Synthesizes a natural-language payload whose memory-updating path robustly extracts, merges, and retrieves the crafted relation while preserving plausible linguistic form, maximizing the retrieval margin for target queries.
This decomposition addresses three key graph-memory bottlenecks for poisoning: (1) relation extraction and materialization, (2) anchor-neighborhood merge, and (3) retrieval competitiveness within the anchor's local evidence.
Empirical Evaluation
ShadowMerge is evaluated against strong baselines (Naive Text Poisoning, MINJA, GraphRAG-poisoning adaptations) in a query-only black-box threat model. The assessment covers three representative shared-agent scenarios: PubMedQA (clinical QA), WebShop (shopping assistant), and ToolEmu (tool-use agent).
The principal results are:
- Average Attack Success Rate (ASR): 93.8%, representing an absolute gain of 50.3 percentage points over the best adapted baseline.
- Benign Task Utility: Post-poisoning accuracy on unrelated benign queries remains high (ā97.3%), indicating highly targeted attacks with minimal collateral degradation.
- Stage-wise Mechanism Analysis: High success in materialization, anchor merge, and retrieval stages (>94% each).
- Rank Analysis: Poisoned relations dominate the top-k context, with median prompt rank 1.0 and 91.6% of payloads appearing as the most relevant evidence in the target query.
- Sensitivity: ASR persists across reasoning model (GPT-5.5, DeepSeek V4, Gemini 3.1 Pro) and memory backend swaps (Mem0, Graphiti), underscoring the generality of the attack across systems.
These results substantiate that graph-based agent memory, as realized in production settings (e.g., Mem0, Graphiti), transitions the security boundary from textual surface forms to the internal graph construction and retrieval pipelineāa boundary that can be reliably crossed by ShadowMerge.
Defense Analysis
Input-side, semantic-preserving rewritingāa common mitigation for prompt injection and textual poisoningāwas tested as a defense. Write-time paraphrase transformations fail to mitigate ShadowMerge since the attack is fundamentally graph and relation-centric; so long as the rephrased input results in the same extracted conflicting relation on the target anchor and channel, the attack is unaffected. Theoretical and empirical evidence indicates that defending this attack vector requires mechanisms at the relation and anchor level, including but not limited to:
- Edge-level provenance
- Writer-authority checks
- Automated conflict resolution within anchor-neighborhoods
- Cross-user visibility policies
- Retrieval-time consistency analysis
In contrast, existing textual anomaly detection, re-ranking, or filtering methods are ineffectual against the CARC primitive.
Implications and Theoretical Perspective
ShadowMerge demonstrates a precise escalation in the adversarial threat model for persistent, multi-user LLM agents that adopt memory in graph-structured form. The work has several direct implications:
- Security-by-construction limitations: Reliance on entity-relation extraction and naive merging elevates the risk of unresolved cross-user conflicts that are not immediately accessible at the text or prompt layer.
- Adversarial generalization: The attack requires only ordinary user inputs and public knowledge of agent task semantics and reference outputs. It does not require knowledge of or access to internal graph state or privileged APIs, reflecting a realistic and scalable threat.
- Graph-awareness in agent security: The lack of robust graph-layer trust and provenance controls leaves deployed agents vulnerable to semantic poisoning that can persist and propagate across user boundaries.
Theoretically, the identification of CARC as an attack primitive motivates further research into robust graph canonicalization, entity-resolution algorithms, relation-level authentication, and formal specifications for multi-tenant agent memory architectures.
Limitations
The scope of ShadowMerge covers query-only, black-box attackers and single-anchor payloads. Scenarios where anchors or output types are inaccessible to the adversary or where graph memory is strictly partitioned are out-of-scope. The demonstrated attacks do not extend to training-time poisoning, direct graph manipulations, or memory backend compromises. Defense mechanisms remain largely conceptual; empirical validation of system-level mitigations is suggested as future work.
Conclusion
ShadowMerge exposes a critical, previously unaddressed vulnerability class in multi-user, graph-based agent memory. The attack leverages relation-channel conflicts and operates through standard user-agent interfaces, architected through the AIR pipeline to guarantee extraction, canonicalization, graph merge, and recall. Its high ASR and low impact on unrelated tasks validate that new security boundaries emerge at the graph evidence level rather than the textual input level. To defend against such attacks, agent memory systems must incorporate provenance, authority, and conflict-resolution policies natively at the graph-layer. The results signal the need for rethinking both the construction and defense of persistent memories in advanced LLM agents.
Reference:
"ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts" (2605.09033)