Papers
Topics
Authors
Recent
Search
2000 character limit reached

Oracle Poisoning: Corrupting Knowledge Graphs to Weaponise AI Agent Reasoning

Published 10 May 2026 in cs.CR and cs.AI | (2605.09822v1)

Abstract: We define Oracle Poisoning, an attack class in which an adversary corrupts a structured knowledge graph that AI agents query at runtime via tool-use protocols, causing incorrect conclusions through correct reasoning. Unlike prompt injection, Oracle Poisoning manipulates the data agents reason over, not their instructions. We demonstrate six attack scenarios against a production 42-million-node code knowledge graph, providing the first empirical demonstration of knowledge graph poisoning against a production-scale agentic system, distinct from CTI embedding poisoning. Primary evaluation uses real SDK tool-use across nine models from three providers (N=30 per model), where models autonomously invoke a graph query tool and reason from results. The result is unambiguous: every tested model trusts poisoned data at 100% at moderate attacker sophistication(L2), with 269 valid trials (of 270) accepting fabricated security claims under directed queries. Under open-ended prompts, trust drops to 3-55%, confirming prompt framing as a confound; we report both conditions. An attacker sophistication gradient reveals discrete break points, a minimum skill at which trust flips from 0% to 100%, reframing the attack as a question not of whether but of how much. A controlled delivery-mode comparison shows that inline evaluation produces false negatives: GPT-5.1 shows 0% trust inline but 100% under both simulated and real agentic tool-use, demonstrating that delivery mode is a first-order confound. We evaluate five defences; read-only access control eliminates the direct mutation vector, while the remaining four are partial and model-dependent. Analysis of four additional platforms suggests the attack may generalise across the knowledge-graph ecosystem.

Summary

  • The paper demonstrates that mutating structured knowledge graphs leads AI agents to reliably accept falsified data as ground truth.
  • It empirically evaluates six attack scenarios across nine LLMs, revealing 100% trust in poisoned data under production-scale tool-use protocols.
  • The study proposes defense strategies including read-only RBAC and multi-tool cross-verification to mitigate architectural vulnerabilities.

Oracle Poisoning: Corrupting Knowledge Graphs to Weaponise AI Agent Reasoning

Introduction and Motivation

The paper "Oracle Poisoning: Corrupting Knowledge Graphs to Weaponise AI Agent Reasoning" (2605.09822) introduces and empirically evaluates a new attack paradigm—Oracle Poisoning—in which an adversary directly mutates the data in structured knowledge graphs (KGs) that AI agents query at runtime, particularly via tool-use protocols like the Model Context Protocol (MCP). Unlike prior adversarial manipulations (e.g., prompt injection, RAG poisoning, model weight poisoning), Oracle Poisoning targets the data that agents accept as ground truth and reason over, not the model's instructions, retrieval corpus, or learned parameters.

The emergence of production-scale agentic systems such as those built atop CodeQL, Sourcegraph, or custom code KGs with tens of millions of nodes has led to an expanded, high-value attack surface. The trust agents place in KG tool responses forms a brittle assumption that is systematically vulnerable to adversarial data mutation.

Attack Model and Threat Characterization

Oracle Poisoning is predicated on five structural preconditions: (1) agents access structured data via queries, (2) write access is possible (often due to shared MCP credentials and insufficient RBAC), (3) no per-entity provenance tracking, (4) agents treat KG responses as ground truth, and (5) no integrity cross-checks against canonical sources. The attacker need only obtain write capabilities to the graph database—no need to compromise the agent, model weights, or the tool's definition.

The attack proceeds by either node/edge creation (e.g., forging non-existent package versions, call chains, telemetry flows) or property modification on extant nodes (e.g., updating a function node's metadata to claim security review or parameterization). This is distinct from known CTI embedding poisoning since there is no vector embedding; falsified facts are delivered as direct query results. Figure 1

Figure 1: Oracle Poisoning attack flow. The attacker corrupts the data, not the AI. The agent queries the knowledge graph via MCP tool-use, receives poisoned results, and reasons correctly about false facts. Total budget: 3 nodes in a 42-million-node graph (0.000007%).

Empirical Analysis and Results

A set of six diverse attack scenarios is executed against a live, production 42-million-node code knowledge graph consumed at scale by agentic AI systems. These cover threats such as supply chain subversion, call graph fabrication to evade security analysis, telemetry rerouting, poisoning code generation recommendations, and property modification.

The primary evaluation uses real SDK tool-use across nine LLMs (OpenAI GPT-4o, GPT-4.1, GPT-5-mini, GPT-5.1, GPT-5.2; Anthropic Claude Sonnet 4.6, Claude Opus 4.5; Google Gemini 2.5 Pro, Gemini 2.0 Flash), each run 30 times per scenario. Models autonomously invoke the KG query tool and reason from poisoned responses:

  • At moderate attacker sophistication (L2), every model exhibited 100% trust in crafted, poisoned data, accepting fabricated security claims in 269 out of 269 valid trials. None produced skeptical responses.
  • Extended validation using a live Neo4j KG matched these results.
  • The minimal required poisoning budget was extremely low—typically 1–3 node/edge mutations per objective, corresponding to less than 0.0001% of the graph size.
  • Under open-ended prompt framing (rather than directed yes/no prompts), trust rates decreased dramatically to 3–55%, revealing that prompt structure is a significant experimental confound.
  • Delivery mode was a major confound: inline (natural language) delivery underestimated susceptibility for some models (e.g., GPT-5.1: 0% inline trust vs. 100% via tool-use).
  • The attack sophistication gradient exhibited discrete break points (inline: binary flips per model; real tool-use: intermediate partial-trust at L1, full trust at L2 and above), indicating that the attacker's required effort is quantifiable and model-dependent. Figure 2

    Figure 2: Inline sophistication gradient heatmap. Under inline delivery, each model exhibits a binary break point. The SDK gradient reveals an intermediate zone at L1 that inline delivery obscures.

    Figure 3

    Figure 3: Trust rates under three delivery conditions at L2 sophistication (N=)\left(N{=}\right). Real SDK tool-use produces 100\% trust for all models. GPT-5.1 shows a dramatic inline-vs-agentic divergence (0\% inline, 100\% agentic).

Defense Strategies: Technical and Practical Implications

A systematic evaluation of six defense strategies is presented, organized under the Visibility–Understanding–Traceability (VUT) framework:

Visibility

  • Graph history preservation is effective for detecting node/edge creation (agents can see nonexistence in prior snapshots), but ineffective for property modifications (agents interpret these as plausible evolution).
  • Audit logging and anomaly detection are reactive; capable of flagging irregular write events but delayed and non-preventive.
  • Semantic differencing (cross-system diffing for correlated evidence) is promising for future work but untested.

Understanding

  • Named devil's advocate prompting (explicit hypothesizing of adversarial data injection) dramatically increases detection rates in SDK experiments, but requires domain-specific threat knowledge.
  • Blind devil's advocate and elevated system prompt authority are ineffective: skepticism is either not triggered or equally applied to benign and malicious data (high false positive rate).
  • Multi-tool cross-verification—enabling agents to check claims against independent tools (e.g., KG and source search)—reduced trust from 100% to 0–25% in adversarial queries when contradictions were surfaced.

Traceability

  • Read-only access control for the KG via MCP integrations instantly eliminates Oracle Poisoning via that vector at lowest engineering cost; it does not address other write paths.
  • Cryptographically anchored provenance and mutation metadata are proposed as future directions, enabling agents to verify the authenticity/origin of each presented fact.
  • Provenance-aware agentic reasoning (combining all three VUT capabilities natively in agent tool-handling) is advocated as a long-term solution.

Realistically, only read-only RBAC is widely available and immediately effective. Developing provenance-enriched MCP protocols and robust, automated adversarial hypothesis testing within agentic pipelines remains open research.

Systemic and Ecosystem Implications

Analysis of four additional code intelligence platforms (Sourcegraph + Cody, Semgrep + Assistant, CodeQL + Copilot Autofix, JetBrains Qodana + AI) shows that all either satisfy, or partly satisfy, the five structural preconditions for Oracle Poisoning. This suggests that the attack is broadly replicable across the KG ecosystem, as the high-trust, tool-driven architectural pattern is pervasive.

The key insight is that Oracle Poisoning exploits a systemic trust boundary violation. It is not a patchable logic flaw but a consequence of architecture: agents reason with fidelity over potentially adversarial data when exposed via trusted tooling channels.

Theoretical and Research Implications

  • The paper exposes a fundamental architectural vulnerability: enhancing agent reasoning and sophistication alone will not reduce susceptibility if models cannot interrogate data provenance or verify KG integrity.
  • The efficacy of multi-tool and provenance-enriched defenses under automated/multi-agent scenarios is unquantified; extension to cross-domain (non-code) knowledge graphs is likely but untested.
  • The impact of LLM version updates on susceptibility is significant (model regression observed); systematic, ongoing evaluation must be incorporated into security best practices.
  • Delivery mode (agentic SDK tool-use vs. inline content) is an underappreciated confound in research and security auditing—realistic, pipeline-reflective evaluations are necessary.

Conclusion

Oracle Poisoning defines a structurally distinct and highly potent attack class against agentic AI systems relying on trusted tool-accessible knowledge graphs. Empirical results on production-scale deployments demonstrate universal agent susceptibility at low attacker effort and highlight that architectural, not behavioral, trust boundaries must be re-engineered. The recommended baseline defense is read-only RBAC on KG access, augmented by multi-tool cross-verification. Research and industry must shift toward architectural audits for provenance, semantic verification across tooling channels, and continuous, pipeline-realistic evaluation regimes to defend against this emergent, severe class of vulnerabilities.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.