Cross-User Poisoning: Attack on Shared State
- Cross-User Poisoning (CUP) is a class of attacks where adversaries poison shared, persistent state to subvert subsequent benign interactions.
- The attack methodology involves injecting benign-looking messages into global transcripts, item embeddings, or model parameters to trigger unintended actions.
- Effective defenses require isolation, provenance, and structured mediation to contain cross-user contamination and maintain system integrity.
Cross-User Poisoning (CUP) denotes a class of attacks in which one principal—such as a user, fake account, federated client, app, or silo—alters a shared model, memory, or context so that later behavior toward other principals is subverted. In the explicit multi-user-agent formulation, CUP arises when an adversary injects ordinary-looking messages that poison persistent, shared state, which later triggers the agent to execute unintended, attacker-specified actions on behalf of benign users (Patlan et al., 21 Nov 2025). Across the literature, the same structural pattern appears in federated recommenders, collaborative and privacy-preserving federated learning, RLHF pipelines, shared-state LLM agents, and app ecosystems: the attacker does not merely manipulate its own session, but instead exploits a shared substrate—global parameters, item embeddings, long-term state, or flat chat context—to create system-wide or subgroup-specific cross-user effects (Yin et al., 2024).
1. Concept and scope
CUP is best understood as a cross-principal integrity failure of a shared substrate. In multi-user language agents, the substrate is a global transcript or memory store. In federated recommenders, it is the shared item-embedding space and public model parameters. In federated learning more broadly, it is the global model or class-prototype aggregate. In app ecosystems, it is a persistent chat context shared across connected principals. The common property is persistence: poisoned state remains available after the attacker’s own interaction has ended, and later influences the model while it is ostensibly serving someone else (Patlan et al., 21 Nov 2025).
The literature distinguishes CUP from ordinary prompt injection and from single-user poisoning. In prompt injection, the standard security model assumes a boundary between trusted instructions and untrusted data; CUP breaks that distinction because the malicious instructions may come from another apparently legitimate user, another app connected to the same chat, or another federated client participating through the normal interface (Patlan et al., 21 Nov 2025). In recommender systems, the same distinction appears as the gap between attacks that only affect fake users themselves and attacks that reshape global parameters so that a target item rises simultaneously for many honest users (Yin et al., 2024). In shared-state agent systems, several papers explicitly present single-user or no-attacker analogs—unintended long-term state poisoning, unintentional cross-user contamination, and cross-app context poisoning—as conceptually adjacent to CUP because they expose the same failure mode: persistent state written in one context is later misapplied in another (Xu et al., 7 May 2026).
| Setting | Shared substrate | Cross-user effect |
|---|---|---|
| Multi-user language agents | Global transcript or shared memory | Attacker-specified tool calls for benign users |
| Federated recommenders | Global item embeddings and public parameters | Promotion or demotion in others’ top- lists |
| Collaborative and privacy-preserving FL | Global model or prototype aggregate | Backdoors or degraded accuracy for other clients |
| Shared-state LLM systems and app platforms | Persistent files, memory, or flat chat context | Policy drift, hidden instructions, cross-principal actions |
This suggests that CUP is not confined to one application domain. A plausible implication is that any system exposing a shared, persistent, model-readable state without strong principal isolation inherits a CUP attack surface.
2. Formal models of cross-user influence
The most explicit agent-centric formalization appears in MURMUR. The agent , users , and environment interact through a global transcript
where each message is
Here is the role, the speaker identity, the natural-language content, and the tool trace. On each user turn, the agent conditions on the full 0, not on a per-user projection. The attack objective is defined through a malicious action template
1
and CUP succeeds if, at some later benign turn 2, the action sequence extracted from the agent’s tool trace contains that malicious template while serving a benign user (Patlan et al., 21 Nov 2025).
A more general, algorithm-independent formulation is given by “Universal Multi-Party Poisoning Attacks” (Mahloujifar et al., 2018). There are 3 parties, an adversary corrupts 4 of them, and for each corrupted party the tampered distribution remains 5-close in total variation to the honest one. For any bad property 6 of the final hypothesis that occurs with probability 7 without attack, the paper proves that there exists a plausible 8-poisoning attack that raises the probability to at least
9
For bounded loss or risk, the paper also proves an additive increase of at least 0. This result provides a theoretical umbrella for CUP in distributed learning: even when each corrupted user remains mostly honest-looking, coordinated user-level perturbations can systematically bias shared outcomes (Mahloujifar et al., 2018).
These formalizations emphasize two technical properties. First, CUP is fundamentally about shared conditioning: the attack works only because the model or agent reuses state across principals. Second, the effective corruption parameter is not merely “how malicious one user is,” but the product of persistence, aggregation, and reuse across users or tasks. This explains why ordinary-looking updates or messages can still produce large downstream effects.
3. Federated recommenders and recommendation-oriented CUP
Federated recommender systems provide a particularly clear CUP substrate because the same global item representations are reused for every user. In the BPR-based federated implicit-feedback setting studied by “Poisoning Federated Recommender Systems with Fake Users,” the server maintains global item embeddings
1
and the attack objective is to maximize
2
PoisonFRS assumes only server-provided item embeddings, with no access to genuine users’ interaction data, user attributes, item popularity, or the server’s aggregation rule. It estimates popular items geometrically, constructs a target embedding
3
and uses fake users to push the global target-item embedding toward 4, while filler-item updates preserve stability and stealth (Yin et al., 2024).
Empirically, this produces large cross-user effects. On Yelp under FedAvg with only 5 fake users, PoisonFRS achieves 6; on Steam, MovieLens-10M, and MovieLens-20M it drives 7 to approximately 8 at tiny attack sizes. The paper further reports that fake and genuine updates are “indistinguishable in the latent space,” and that robust aggregators including median, trimmed-mean, Krum, clipping, and HiCS still leave the attack highly effective (Yin et al., 2024).
“Phantom Subgroup Poisoning” extends the same substrate from global CUP to subgroup-specific CUP (Yan et al., 7 Jul 2025). In a federated NCF setting, Spattack defines a target subgroup through an interested item set 9, learns phantom target and non-target user embeddings, separates them with a contrastive loss,
0
and then optimizes target-item embeddings and public parameters so that target items are promoted to the target subgroup and demoted for non-target users. Its group-aware metric is
1
On ML-1M, the paper reports 2 for target users and 3 for non-target users; on ML-100K, 4 and 5, respectively. The paper also reports that Spattack remains effective even when only 6 of users are malicious and stays resilient against NORMBOUND, TRIMMEDMEAN, KRUM, MULTIKRUM, and BULYAN, while MEDIAN can suppress the attack at substantial utility cost (Yan et al., 7 Jul 2025).
A related cross-domain form of recommendation CUP appears in “Attacking Black-box Recommendations via Copying Cross-domain User Profiles” (Fan et al., 2020). CopyAttack treats the target recommender as a black box, copies realistic user profiles from a source domain with overlapping items, and uses hierarchical policy-gradient RL to choose which users to copy and how much of each profile to keep. The reward is the hit ratio of the target item over attacker-controlled pretend users. On ML10M-FX, the attack raises 7 from 8 to 9; on ML20M-NF, it raises 0 from 1 to 2. The paper’s central point is that realistic cross-user behavior transfer can be both black-box and stealthy (Fan et al., 2020).
Taken together, these recommender papers show two distinct CUP regimes: global manipulation, where one item is promoted for much of the user base, and subgroup-differential manipulation, where the poisoning is targeted to one latent user cluster while keeping non-target disturbance small.
4. Collaborative and privacy-preserving federated learning
Outside recommendation, CUP is the standard adversarial interpretation of user-level poisoning in federated learning: malicious clients alter local data or updates so as to corrupt the shared model used by everyone else. “Shielding Collaborative Learning” studies this in a centralized collaborative-learning setup with a trusted server, local SGD, and FedAvg-style aggregation (Zhao et al., 2019). The paper focuses on targeted poisoning, including label-flipping and semantic backdoor attacks, and proposes client-side cross-validation: the server partitions updates into sub-models, delegates those sub-models to other clients for evaluation on their local data, and then reweights aggregation based on anomaly reports. For non-IID settings it introduces dynamic client allocation so that validators actually possess the classes needed to reveal a backdoor. The paper further integrates client-level differential privacy into the detection loop and reports that appropriately calibrated Gaussian noise preserves detection quality while protecting client participation (Zhao et al., 2019).
“PPFPL: Cross-silo Privacy-preserving Federated Prototype Learning Against Data Poisoning Attacks on Non-IID Data” addresses a different CUP regime: cross-silo PPFL under poisoned non-IID data (Zhang et al., 4 Apr 2025). PPFPL replaces gradient exchange with normalized class prototypes,
3
and uses two non-colluding honest-but-curious servers, Aggregator and Verifier, together with CKKS approximate homomorphic encryption. Robustness is obtained by forming a trusted prototype direction
4
computing cosine similarities, and weighting or dropping prototypes according to
5
The local objective augments supervised loss with prototype alignment,
6
The paper proves convergence under smoothness and bounded-variance assumptions, and empirically reports strong robustness on MNIST, FMNIST, and CIFAR-10. In the stress tests on CIFAR-10 with feature attacks, 7, and 8, PPFPL remains above 9 accuracy depending on 0, while gradient-based baselines degrade substantially (Zhang et al., 4 Apr 2025).
These works establish two defense paradigms against federated CUP. One is post hoc validation of user contributions against other users’ local data. The other is changing the shared representation itself—moving from raw gradients to class-wise semantic prototypes whose directional consistency is easier to robustify under non-IID conditions.
5. Shared-state LLM agents, context poisoning, and no-attacker analogs
The most direct multi-user LLM-agent study is MURMUR, which validates CUP on real systems and on composed benchmark environments (Patlan et al., 21 Nov 2025). With one attack and one benign task (1), CUP ASR reaches 2 in Workspace, 3 in Slack, and 4 in Airline for GPT‑4.1, and 5, 6, and 7, respectively, for Claude Sonnet 4. Standard prompt injection in the same environments is near zero for several model–environment pairs, such as Workspace with GPT‑4.1 8 versus CUP 9, and Slack with Claude Sonnet 4 0 versus CUP 1. At 2, once a session has at least one compromised task, the attack often persists to four or five tasks. The paper’s task-based clustering defense reduces CUP ASR to 3 in Slack, Workspace, and Airline, but with utility trade-offs: for example, Slack TSR drops from 4 to 5 (Patlan et al., 21 Nov 2025).
Several adjacent LLM-agent papers show that the same substrate fails even without an explicit adversary. “When Routine Chats Turn Toxic: Unintended Long-Term State Poisoning in Personalized Agents” formalizes persistent state as
6
introduces ULSPB with 7 settings, and defines Harm Score (HS) over authorization drift, tool-use escalation, and unchecked autonomy (Xu et al., 7 May 2026). Average “No Defense” HS across all variants is 8 for Kimi K2.5, 9 for GPT-5.4, 0 for MiniMax M2.7, and 1 for Grok 4.20. StateGuard, a writeback-boundary auditor over state diffs, reduces HS to near zero in its targeted-ensemble configuration—2, 3, 4, and 5, respectively—but with false-positive rates around 6 and false-negative rates around 7 (Xu et al., 7 May 2026). The paper explicitly frames this as conceptually very close to CUP, except that the experiments are single-user.
“No Attacker Needed: Unintentional Cross-User Contamination in Shared-State LLM Agents” studies a genuinely shared-state setting and defines contamination by comparing victim behavior with and without an earlier benign source interaction (Yang et al., 1 Apr 2026). Under raw shared state, benign interactions alone produce contamination rates of 8 on MIMIC-III, 9 on eICU, and 0 on Slack. Write-time Sanitized Shared Interaction (SSI) is highly effective for conversational state, reducing Slack contamination from 1 to 2, but leaves substantial residual risk for executable artifacts: eICU drops from 3 to 4, and MIMIC-III from 5 to 6 (Yang et al., 1 Apr 2026). The paper’s distinction between conversational and executable artifacts is central: code-like artifacts tend to survive text-level sanitization and often manifest as silent wrong answers.
“Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents” moves to web agents whose memories store raw trajectories (Zou et al., 3 Apr 2026). eTAMP poisons memory through environmental observation alone and formalizes the attack as maximizing the probability that a malicious action 7 appears in a future trajectory on a different site, subject to the stealth constraint that the original task remains successful. On WebArena and VisualWebArena, the paper reports ASR up to 8 on GPT‑5‑mini, 9 on GPT‑5.2, and 0 on GPT‑OSS‑120B. It also identifies Frustration Exploitation: when click failures, inverted scrolling, and garbled typing are injected, ASR can increase by up to 1 times. The paper explicitly treats cross-user shared memory as out of scope, but also states that the mechanisms generalize if memory is shared (Zou et al., 3 Apr 2026).
“Confused ChatGPT: Cross-App Context Poisoning via First-Party APIs” studies a flat, persistent chat context shared by user and connected apps (Wang et al., 30 May 2026). It identifies sendFollowUpMessage as a direct write channel into shared context and reports two undocumented parameters, systemPrompt and isVisible, that permit silent, system-priority writes. The attack is framed as cross-app rather than cross-user, but the architectural diagnosis is directly relevant to CUP: the LLM context is “a persistent, flat, untagged data store shared by user and apps, with no isolation,” and fixing the problem requires architectural isolation rather than a patch (Wang et al., 30 May 2026).
Finally, “The Dark Side of Human Feedback: Poisoning LLMs via User Inputs” shows CUP at training time rather than inference time (Chen et al., 2024). In an RLHF-style pipeline that reuses user prompts for alignment, the paper injects 2 specially crafted prompts and reports a toxicity score up to two times higher when a specific trigger word is used. The attack is explicitly cross-user: a small set of malicious users contributes prompts during training, and later benign users experience degraded behavior when they use the trigger (Chen et al., 2024).
6. Metrics, defenses, misconceptions, and open problems
CUP research has converged on a family of cross-principal metrics rather than on a single canonical score. Recommender attacks use 3, 4, ER@K, and 5-GER@K to measure how many honest users or target subgroups now receive the attacker’s item (Yin et al., 2024). Multi-user agent work uses Attack Success Rate and Attack Persistence Rate to quantify whether malicious tool-action templates appear in benign users’ traces, and how many later tasks remain infected once poisoning succeeds (Patlan et al., 21 Nov 2025). Shared-state agent work uses HS as a state-centric measure of authorization drift, tool-use escalation, and unchecked autonomy, while UCC work measures contamination rate by clean-versus-contaminated counterfactual comparison (Xu et al., 7 May 2026). These metrics all operationalize the same principle: CUP is a failure of downstream behavior toward others, not merely a perturbation of the attacker’s own outputs.
Several recurring misconceptions are contradicted by the empirical record. First, ordinary prompt-injection defenses do not transfer cleanly to CUP. In MURMUR, prompt injection is often near zero while CUP remains high, because the attack does not rely on an instruction–data boundary that the defense knows how to police (Patlan et al., 21 Nov 2025). Second, robust aggregation and clipping are not sufficient in federated recommenders: PoisonFRS remains effective under median, trimmed-mean, Krum, clipping, and HiCS, while Spattack retains strong target-group manipulation under NORMBOUND, TRIMMEDMEAN, KRUM, MULTIKRUM, and BULYAN (Yin et al., 2024). Third, the absence of a malicious adversary does not imply safety. ULSPB and UCC show that routine or benign interactions alone can poison long-term state or contaminate later users at nontrivial rates (Xu et al., 7 May 2026). Fourth, stronger models are not necessarily more secure: eTAMP reports substantial vulnerability for GPT‑5.2 despite superior task performance (Zou et al., 3 Apr 2026).
The defense literature is correspondingly heterogeneous. At the architectural end, task-based clustering in MURMUR and per-app context isolation in ChatGPT Apps both aim to reduce or eliminate shared flat namespaces (Patlan et al., 21 Nov 2025). At the state-management end, StateGuard audits writeback diffs and rolls back risky edits, while SSI sanitizes traces before they enter shared state, with strong performance on conversational state but weaker performance on executable artifacts (Xu et al., 7 May 2026). At the federated-learning end, PPFPL replaces gradients with encrypted normalized prototypes and similarity-based weights, while client-side cross-validation reweights suspect sub-models using peer evaluation under non-IID-aware assignment (Zhang et al., 4 Apr 2025).
The open problems identified across these papers are closely aligned. Multi-user agent work calls for architectures that preserve legitimate collaboration while enforcing user- and task-level isolation (Patlan et al., 21 Nov 2025). Shared-state agent papers call for artifact-level defenses beyond text sanitization, adaptive writeback auditing, and evaluation on other memory architectures such as vector stores and database-backed memories (Yang et al., 1 Apr 2026). Prototype-based federated learning identifies adaptive or targeted CUP and backdoors that preserve prototype direction as an unresolved challenge, alongside the absence of formal robustness bounds analogous to Krum or Bulyan in prototype space (Zhang et al., 4 Apr 2025). Cross-app context poisoning argues that as long as unstructured natural language remains the medium of shared state, LLMs cannot serve as deterministic reference monitors over that state (Wang et al., 30 May 2026).
A consistent conclusion emerges. CUP is not a niche variant of prompt injection or a special case of federated poisoning; it is a general systems problem created whenever multiple principals write to a persistent state that a model later reuses across principal boundaries. The literature suggests that effective defenses require isolation, provenance, structured mediation, and explicit control over what kinds of state are allowed to persist—not merely better filtering of obviously malicious text.