Papers
Topics
Authors
Recent
Search
2000 character limit reached

ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts

Published 9 May 2026 in cs.CR and cs.AI | (2605.09033v2)

Abstract: Graph-based agent memory is increasingly used in LLM agents to support structured long-term recall and multi-hop reasoning, but it also creates a new poisoning surface: an attacker can inject a crafted relation into graph memory so that it is later retrieved and influences agent behavior. Existing agent-memory poisoning attacks mainly target flat textual records and are ineffective in graph-based memory because malicious relations often fail to be extracted, merged into the target anchor neighborhood, or retrieved for the victim query. We present SHADOWMERGE, a poisoning attack against graph-based agent memory that exploits relation-channel conflicts. Its key insight is that a poisoned relation can share the same query-activated anchor and canonicalized relation channel as benign evidence while carrying a conflicting value. To realize this, we design AIR, a pipeline that converts the conflict into an ordinary interaction that can be extracted, merged, and retrieved by the graph-memory system. We evaluate SHADOWMERGE on Mem0 and three public real-world datasets: PubMedQA, WebShop, and ToolEmu. SHADOWMERGE achieves 93.8% average attack success rate, improving the best baseline by 50.3 absolute points, while having negligible impact on unrelated benign tasks. Mechanism studies show that SHADOWMERGE overcomes the three key limitations of existing agent-memory poisoning attacks, and defense analysis shows that representative input-side defenses are insufficient to mitigate it. We have responsibly disclosed our findings to affected graph-memory vendors and open sourced SHADOWMERGE.

Summary

  • The paper introduces CARC, a novel attack paradigm that exploits relation-channel conflicts to poison graph-based agent memory.
  • It presents the AIR pipeline—Anchor, Inscribe, Render—to precisely inject conflicting relations, enhancing the attack’s success rate.
  • Empirical results show a 93.8% attack success rate with preserved benign query accuracy (~97.3%), highlighting the attack's efficiency.

ShadowMerge: Poisoning Attacks on Graph-Based Agent Memory via Relation-Channel Conflicts

Introduction

The increasing adoption of graph-based agent memory in LLM-powered agents has brought substantial improvements in multi-hop reasoning and structured long-term recall. These advancements enable agents to persistently capture entities, relations, and user or tool interactions across sessions. Despite their utility, such memory systems introduce an underexplored attack surface, particularly for adversaries limited to ordinary interaction channels. The paper "ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts" (2605.09033) provides a comprehensive threat model and a practical attack pipeline demonstrating that the fundamental operations of graph-based agent memory—entity extraction, relation canonicalization, and anchor-based retrieval—are exploitable for highly effective poisoning attacks through the introduction of channel-aligned conflicting relations.

Attack Formalism and Pipeline

The core technical insight of ShadowMerge is the concept of Channel-Aligned Relational Competition (CARC). Here, a poisoned relation, injected by an adversary through standard user interaction, is engineered to share both the anchor entity and the relation channel with benign graph evidence, but to carry a conflicting value. This is distinct from poisoning attacks in flat or textual memory settings, where the retrieval mechanism is largely surface-form-dependent and lacks such graph-specific vulnerabilities.

To optimize for this attack vector, the authors propose the Anchor, Inscribe, Render (AIR) pipeline:

  • Anchor: Selects entities within the graph whose neighborhood is likely to be activated by future victim queries, leveraging attacker-side proxy estimation of anchor reachability.
  • Inscribe: Constructs a channel-aligned, conflicting relation using public extraction and KGE proxies, ensuring alignment under platform-specific canonicalization.
  • Render: Synthesizes a natural-language payload whose memory-updating path robustly extracts, merges, and retrieves the crafted relation while preserving plausible linguistic form, maximizing the retrieval margin for target queries.

This decomposition addresses three key graph-memory bottlenecks for poisoning: (1) relation extraction and materialization, (2) anchor-neighborhood merge, and (3) retrieval competitiveness within the anchor's local evidence.

Empirical Evaluation

ShadowMerge is evaluated against strong baselines (Naive Text Poisoning, MINJA, GraphRAG-poisoning adaptations) in a query-only black-box threat model. The assessment covers three representative shared-agent scenarios: PubMedQA (clinical QA), WebShop (shopping assistant), and ToolEmu (tool-use agent).

The principal results are:

  • Average Attack Success Rate (ASR): 93.8%, representing an absolute gain of 50.3 percentage points over the best adapted baseline.
  • Benign Task Utility: Post-poisoning accuracy on unrelated benign queries remains high (ā‰ˆ97.3%\approx 97.3\%), indicating highly targeted attacks with minimal collateral degradation.
  • Stage-wise Mechanism Analysis: High success in materialization, anchor merge, and retrieval stages (>94%>94\% each).
  • Rank Analysis: Poisoned relations dominate the top-k context, with median prompt rank 1.0 and 91.6% of payloads appearing as the most relevant evidence in the target query.
  • Sensitivity: ASR persists across reasoning model (GPT-5.5, DeepSeek V4, Gemini 3.1 Pro) and memory backend swaps (Mem0, Graphiti), underscoring the generality of the attack across systems.

These results substantiate that graph-based agent memory, as realized in production settings (e.g., Mem0, Graphiti), transitions the security boundary from textual surface forms to the internal graph construction and retrieval pipeline—a boundary that can be reliably crossed by ShadowMerge.

Defense Analysis

Input-side, semantic-preserving rewriting—a common mitigation for prompt injection and textual poisoning—was tested as a defense. Write-time paraphrase transformations fail to mitigate ShadowMerge since the attack is fundamentally graph and relation-centric; so long as the rephrased input results in the same extracted conflicting relation on the target anchor and channel, the attack is unaffected. Theoretical and empirical evidence indicates that defending this attack vector requires mechanisms at the relation and anchor level, including but not limited to:

  • Edge-level provenance
  • Writer-authority checks
  • Automated conflict resolution within anchor-neighborhoods
  • Cross-user visibility policies
  • Retrieval-time consistency analysis

In contrast, existing textual anomaly detection, re-ranking, or filtering methods are ineffectual against the CARC primitive.

Implications and Theoretical Perspective

ShadowMerge demonstrates a precise escalation in the adversarial threat model for persistent, multi-user LLM agents that adopt memory in graph-structured form. The work has several direct implications:

  • Security-by-construction limitations: Reliance on entity-relation extraction and naive merging elevates the risk of unresolved cross-user conflicts that are not immediately accessible at the text or prompt layer.
  • Adversarial generalization: The attack requires only ordinary user inputs and public knowledge of agent task semantics and reference outputs. It does not require knowledge of or access to internal graph state or privileged APIs, reflecting a realistic and scalable threat.
  • Graph-awareness in agent security: The lack of robust graph-layer trust and provenance controls leaves deployed agents vulnerable to semantic poisoning that can persist and propagate across user boundaries.

Theoretically, the identification of CARC as an attack primitive motivates further research into robust graph canonicalization, entity-resolution algorithms, relation-level authentication, and formal specifications for multi-tenant agent memory architectures.

Limitations

The scope of ShadowMerge covers query-only, black-box attackers and single-anchor payloads. Scenarios where anchors or output types are inaccessible to the adversary or where graph memory is strictly partitioned are out-of-scope. The demonstrated attacks do not extend to training-time poisoning, direct graph manipulations, or memory backend compromises. Defense mechanisms remain largely conceptual; empirical validation of system-level mitigations is suggested as future work.

Conclusion

ShadowMerge exposes a critical, previously unaddressed vulnerability class in multi-user, graph-based agent memory. The attack leverages relation-channel conflicts and operates through standard user-agent interfaces, architected through the AIR pipeline to guarantee extraction, canonicalization, graph merge, and recall. Its high ASR and low impact on unrelated tasks validate that new security boundaries emerge at the graph evidence level rather than the textual input level. To defend against such attacks, agent memory systems must incorporate provenance, authority, and conflict-resolution policies natively at the graph-layer. The results signal the need for rethinking both the construction and defense of persistent memories in advanced LLM agents.

Reference:

"ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts" (2605.09033)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.