Papers
Topics
Authors
Recent
Search
2000 character limit reached

Cross-User Poisoning: Attack on Shared State

Updated 4 July 2026
  • Cross-User Poisoning (CUP) is a class of attacks where adversaries poison shared, persistent state to subvert subsequent benign interactions.
  • The attack methodology involves injecting benign-looking messages into global transcripts, item embeddings, or model parameters to trigger unintended actions.
  • Effective defenses require isolation, provenance, and structured mediation to contain cross-user contamination and maintain system integrity.

Cross-User Poisoning (CUP) denotes a class of attacks in which one principal—such as a user, fake account, federated client, app, or silo—alters a shared model, memory, or context so that later behavior toward other principals is subverted. In the explicit multi-user-agent formulation, CUP arises when an adversary injects ordinary-looking messages that poison persistent, shared state, which later triggers the agent to execute unintended, attacker-specified actions on behalf of benign users (Patlan et al., 21 Nov 2025). Across the literature, the same structural pattern appears in federated recommenders, collaborative and privacy-preserving federated learning, RLHF pipelines, shared-state LLM agents, and app ecosystems: the attacker does not merely manipulate its own session, but instead exploits a shared substrate—global parameters, item embeddings, long-term state, or flat chat context—to create system-wide or subgroup-specific cross-user effects (Yin et al., 2024).

1. Concept and scope

CUP is best understood as a cross-principal integrity failure of a shared substrate. In multi-user language agents, the substrate is a global transcript or memory store. In federated recommenders, it is the shared item-embedding space and public model parameters. In federated learning more broadly, it is the global model or class-prototype aggregate. In app ecosystems, it is a persistent chat context shared across connected principals. The common property is persistence: poisoned state remains available after the attacker’s own interaction has ended, and later influences the model while it is ostensibly serving someone else (Patlan et al., 21 Nov 2025).

The literature distinguishes CUP from ordinary prompt injection and from single-user poisoning. In prompt injection, the standard security model assumes a boundary between trusted instructions and untrusted data; CUP breaks that distinction because the malicious instructions may come from another apparently legitimate user, another app connected to the same chat, or another federated client participating through the normal interface (Patlan et al., 21 Nov 2025). In recommender systems, the same distinction appears as the gap between attacks that only affect fake users themselves and attacks that reshape global parameters so that a target item rises simultaneously for many honest users (Yin et al., 2024). In shared-state agent systems, several papers explicitly present single-user or no-attacker analogs—unintended long-term state poisoning, unintentional cross-user contamination, and cross-app context poisoning—as conceptually adjacent to CUP because they expose the same failure mode: persistent state written in one context is later misapplied in another (Xu et al., 7 May 2026).

Setting Shared substrate Cross-user effect
Multi-user language agents Global transcript or shared memory Attacker-specified tool calls for benign users
Federated recommenders Global item embeddings and public parameters Promotion or demotion in others’ top-KK lists
Collaborative and privacy-preserving FL Global model or prototype aggregate Backdoors or degraded accuracy for other clients
Shared-state LLM systems and app platforms Persistent files, memory, or flat chat context Policy drift, hidden instructions, cross-principal actions

This suggests that CUP is not confined to one application domain. A plausible implication is that any system exposing a shared, persistent, model-readable state without strong principal isolation inherits a CUP attack surface.

2. Formal models of cross-user influence

The most explicit agent-centric formalization appears in MURMUR. The agent MM, users U\mathcal{U}, and environment EE interact through a global transcript

Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),

where each message is

mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).

Here rτr_\tau is the role, uτu_\tau the speaker identity, xτx_\tau the natural-language content, and WτW_\tau the tool trace. On each user turn, the agent conditions on the full MM0, not on a per-user projection. The attack objective is defined through a malicious action template

MM1

and CUP succeeds if, at some later benign turn MM2, the action sequence extracted from the agent’s tool trace contains that malicious template while serving a benign user (Patlan et al., 21 Nov 2025).

A more general, algorithm-independent formulation is given by “Universal Multi-Party Poisoning Attacks” (Mahloujifar et al., 2018). There are MM3 parties, an adversary corrupts MM4 of them, and for each corrupted party the tampered distribution remains MM5-close in total variation to the honest one. For any bad property MM6 of the final hypothesis that occurs with probability MM7 without attack, the paper proves that there exists a plausible MM8-poisoning attack that raises the probability to at least

MM9

For bounded loss or risk, the paper also proves an additive increase of at least U\mathcal{U}0. This result provides a theoretical umbrella for CUP in distributed learning: even when each corrupted user remains mostly honest-looking, coordinated user-level perturbations can systematically bias shared outcomes (Mahloujifar et al., 2018).

These formalizations emphasize two technical properties. First, CUP is fundamentally about shared conditioning: the attack works only because the model or agent reuses state across principals. Second, the effective corruption parameter is not merely “how malicious one user is,” but the product of persistence, aggregation, and reuse across users or tasks. This explains why ordinary-looking updates or messages can still produce large downstream effects.

3. Federated recommenders and recommendation-oriented CUP

Federated recommender systems provide a particularly clear CUP substrate because the same global item representations are reused for every user. In the BPR-based federated implicit-feedback setting studied by “Poisoning Federated Recommender Systems with Fake Users,” the server maintains global item embeddings

U\mathcal{U}1

and the attack objective is to maximize

U\mathcal{U}2

PoisonFRS assumes only server-provided item embeddings, with no access to genuine users’ interaction data, user attributes, item popularity, or the server’s aggregation rule. It estimates popular items geometrically, constructs a target embedding

U\mathcal{U}3

and uses fake users to push the global target-item embedding toward U\mathcal{U}4, while filler-item updates preserve stability and stealth (Yin et al., 2024).

Empirically, this produces large cross-user effects. On Yelp under FedAvg with only U\mathcal{U}5 fake users, PoisonFRS achieves U\mathcal{U}6; on Steam, MovieLens-10M, and MovieLens-20M it drives U\mathcal{U}7 to approximately U\mathcal{U}8 at tiny attack sizes. The paper further reports that fake and genuine updates are “indistinguishable in the latent space,” and that robust aggregators including median, trimmed-mean, Krum, clipping, and HiCS still leave the attack highly effective (Yin et al., 2024).

“Phantom Subgroup Poisoning” extends the same substrate from global CUP to subgroup-specific CUP (Yan et al., 7 Jul 2025). In a federated NCF setting, Spattack defines a target subgroup through an interested item set U\mathcal{U}9, learns phantom target and non-target user embeddings, separates them with a contrastive loss,

EE0

and then optimizes target-item embeddings and public parameters so that target items are promoted to the target subgroup and demoted for non-target users. Its group-aware metric is

EE1

On ML-1M, the paper reports EE2 for target users and EE3 for non-target users; on ML-100K, EE4 and EE5, respectively. The paper also reports that Spattack remains effective even when only EE6 of users are malicious and stays resilient against NORMBOUND, TRIMMEDMEAN, KRUM, MULTIKRUM, and BULYAN, while MEDIAN can suppress the attack at substantial utility cost (Yan et al., 7 Jul 2025).

A related cross-domain form of recommendation CUP appears in “Attacking Black-box Recommendations via Copying Cross-domain User Profiles” (Fan et al., 2020). CopyAttack treats the target recommender as a black box, copies realistic user profiles from a source domain with overlapping items, and uses hierarchical policy-gradient RL to choose which users to copy and how much of each profile to keep. The reward is the hit ratio of the target item over attacker-controlled pretend users. On ML10M-FX, the attack raises EE7 from EE8 to EE9; on ML20M-NF, it raises Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),0 from Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),1 to Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),2. The paper’s central point is that realistic cross-user behavior transfer can be both black-box and stealthy (Fan et al., 2020).

Taken together, these recommender papers show two distinct CUP regimes: global manipulation, where one item is promoted for much of the user base, and subgroup-differential manipulation, where the poisoning is targeted to one latent user cluster while keeping non-target disturbance small.

4. Collaborative and privacy-preserving federated learning

Outside recommendation, CUP is the standard adversarial interpretation of user-level poisoning in federated learning: malicious clients alter local data or updates so as to corrupt the shared model used by everyone else. “Shielding Collaborative Learning” studies this in a centralized collaborative-learning setup with a trusted server, local SGD, and FedAvg-style aggregation (Zhao et al., 2019). The paper focuses on targeted poisoning, including label-flipping and semantic backdoor attacks, and proposes client-side cross-validation: the server partitions updates into sub-models, delegates those sub-models to other clients for evaluation on their local data, and then reweights aggregation based on anomaly reports. For non-IID settings it introduces dynamic client allocation so that validators actually possess the classes needed to reveal a backdoor. The paper further integrates client-level differential privacy into the detection loop and reports that appropriately calibrated Gaussian noise preserves detection quality while protecting client participation (Zhao et al., 2019).

“PPFPL: Cross-silo Privacy-preserving Federated Prototype Learning Against Data Poisoning Attacks on Non-IID Data” addresses a different CUP regime: cross-silo PPFL under poisoned non-IID data (Zhang et al., 4 Apr 2025). PPFPL replaces gradient exchange with normalized class prototypes,

Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),3

and uses two non-colluding honest-but-curious servers, Aggregator and Verifier, together with CKKS approximate homomorphic encryption. Robustness is obtained by forming a trusted prototype direction

Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),4

computing cosine similarities, and weighting or dropping prototypes according to

Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),5

The local objective augments supervised loss with prototype alignment,

Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),6

The paper proves convergence under smoothness and bounded-variance assumptions, and empirically reports strong robustness on MNIST, FMNIST, and CIFAR-10. In the stress tests on CIFAR-10 with feature attacks, Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),7, and Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),8, PPFPL remains above Ht=(m1,,mt),\mathcal{H}_t = (m_1, \ldots, m_t),9 accuracy depending on mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).0, while gradient-based baselines degrade substantially (Zhang et al., 4 Apr 2025).

These works establish two defense paradigms against federated CUP. One is post hoc validation of user contributions against other users’ local data. The other is changing the shared representation itself—moving from raw gradients to class-wise semantic prototypes whose directional consistency is easier to robustify under non-IID conditions.

5. Shared-state LLM agents, context poisoning, and no-attacker analogs

The most direct multi-user LLM-agent study is MURMUR, which validates CUP on real systems and on composed benchmark environments (Patlan et al., 21 Nov 2025). With one attack and one benign task (mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).1), CUP ASR reaches mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).2 in Workspace, mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).3 in Slack, and mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).4 in Airline for GPT‑4.1, and mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).5, mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).6, and mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).7, respectively, for Claude Sonnet 4. Standard prompt injection in the same environments is near zero for several model–environment pairs, such as Workspace with GPT‑4.1 mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).8 versus CUP mτ=(rτ,uτ,xτ,Wτ).m_\tau = (r_\tau, u_\tau, x_\tau, W_\tau).9, and Slack with Claude Sonnet 4 rτr_\tau0 versus CUP rτr_\tau1. At rτr_\tau2, once a session has at least one compromised task, the attack often persists to four or five tasks. The paper’s task-based clustering defense reduces CUP ASR to rτr_\tau3 in Slack, Workspace, and Airline, but with utility trade-offs: for example, Slack TSR drops from rτr_\tau4 to rτr_\tau5 (Patlan et al., 21 Nov 2025).

Several adjacent LLM-agent papers show that the same substrate fails even without an explicit adversary. “When Routine Chats Turn Toxic: Unintended Long-Term State Poisoning in Personalized Agents” formalizes persistent state as

rτr_\tau6

introduces ULSPB with rτr_\tau7 settings, and defines Harm Score (HS) over authorization drift, tool-use escalation, and unchecked autonomy (Xu et al., 7 May 2026). Average “No Defense” HS across all variants is rτr_\tau8 for Kimi K2.5, rτr_\tau9 for GPT-5.4, uτu_\tau0 for MiniMax M2.7, and uτu_\tau1 for Grok 4.20. StateGuard, a writeback-boundary auditor over state diffs, reduces HS to near zero in its targeted-ensemble configuration—uτu_\tau2, uτu_\tau3, uτu_\tau4, and uτu_\tau5, respectively—but with false-positive rates around uτu_\tau6 and false-negative rates around uτu_\tau7 (Xu et al., 7 May 2026). The paper explicitly frames this as conceptually very close to CUP, except that the experiments are single-user.

“No Attacker Needed: Unintentional Cross-User Contamination in Shared-State LLM Agents” studies a genuinely shared-state setting and defines contamination by comparing victim behavior with and without an earlier benign source interaction (Yang et al., 1 Apr 2026). Under raw shared state, benign interactions alone produce contamination rates of uτu_\tau8 on MIMIC-III, uτu_\tau9 on eICU, and xτx_\tau0 on Slack. Write-time Sanitized Shared Interaction (SSI) is highly effective for conversational state, reducing Slack contamination from xτx_\tau1 to xτx_\tau2, but leaves substantial residual risk for executable artifacts: eICU drops from xτx_\tau3 to xτx_\tau4, and MIMIC-III from xτx_\tau5 to xτx_\tau6 (Yang et al., 1 Apr 2026). The paper’s distinction between conversational and executable artifacts is central: code-like artifacts tend to survive text-level sanitization and often manifest as silent wrong answers.

“Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents” moves to web agents whose memories store raw trajectories (Zou et al., 3 Apr 2026). eTAMP poisons memory through environmental observation alone and formalizes the attack as maximizing the probability that a malicious action xτx_\tau7 appears in a future trajectory on a different site, subject to the stealth constraint that the original task remains successful. On WebArena and VisualWebArena, the paper reports ASR up to xτx_\tau8 on GPT‑5‑mini, xτx_\tau9 on GPT‑5.2, and WτW_\tau0 on GPT‑OSS‑120B. It also identifies Frustration Exploitation: when click failures, inverted scrolling, and garbled typing are injected, ASR can increase by up to WτW_\tau1 times. The paper explicitly treats cross-user shared memory as out of scope, but also states that the mechanisms generalize if memory is shared (Zou et al., 3 Apr 2026).

“Confused ChatGPT: Cross-App Context Poisoning via First-Party APIs” studies a flat, persistent chat context shared by user and connected apps (Wang et al., 30 May 2026). It identifies sendFollowUpMessage as a direct write channel into shared context and reports two undocumented parameters, systemPrompt and isVisible, that permit silent, system-priority writes. The attack is framed as cross-app rather than cross-user, but the architectural diagnosis is directly relevant to CUP: the LLM context is “a persistent, flat, untagged data store shared by user and apps, with no isolation,” and fixing the problem requires architectural isolation rather than a patch (Wang et al., 30 May 2026).

Finally, “The Dark Side of Human Feedback: Poisoning LLMs via User Inputs” shows CUP at training time rather than inference time (Chen et al., 2024). In an RLHF-style pipeline that reuses user prompts for alignment, the paper injects WτW_\tau2 specially crafted prompts and reports a toxicity score up to two times higher when a specific trigger word is used. The attack is explicitly cross-user: a small set of malicious users contributes prompts during training, and later benign users experience degraded behavior when they use the trigger (Chen et al., 2024).

6. Metrics, defenses, misconceptions, and open problems

CUP research has converged on a family of cross-principal metrics rather than on a single canonical score. Recommender attacks use WτW_\tau3, WτW_\tau4, ER@K, and WτW_\tau5-GER@K to measure how many honest users or target subgroups now receive the attacker’s item (Yin et al., 2024). Multi-user agent work uses Attack Success Rate and Attack Persistence Rate to quantify whether malicious tool-action templates appear in benign users’ traces, and how many later tasks remain infected once poisoning succeeds (Patlan et al., 21 Nov 2025). Shared-state agent work uses HS as a state-centric measure of authorization drift, tool-use escalation, and unchecked autonomy, while UCC work measures contamination rate by clean-versus-contaminated counterfactual comparison (Xu et al., 7 May 2026). These metrics all operationalize the same principle: CUP is a failure of downstream behavior toward others, not merely a perturbation of the attacker’s own outputs.

Several recurring misconceptions are contradicted by the empirical record. First, ordinary prompt-injection defenses do not transfer cleanly to CUP. In MURMUR, prompt injection is often near zero while CUP remains high, because the attack does not rely on an instruction–data boundary that the defense knows how to police (Patlan et al., 21 Nov 2025). Second, robust aggregation and clipping are not sufficient in federated recommenders: PoisonFRS remains effective under median, trimmed-mean, Krum, clipping, and HiCS, while Spattack retains strong target-group manipulation under NORMBOUND, TRIMMEDMEAN, KRUM, MULTIKRUM, and BULYAN (Yin et al., 2024). Third, the absence of a malicious adversary does not imply safety. ULSPB and UCC show that routine or benign interactions alone can poison long-term state or contaminate later users at nontrivial rates (Xu et al., 7 May 2026). Fourth, stronger models are not necessarily more secure: eTAMP reports substantial vulnerability for GPT‑5.2 despite superior task performance (Zou et al., 3 Apr 2026).

The defense literature is correspondingly heterogeneous. At the architectural end, task-based clustering in MURMUR and per-app context isolation in ChatGPT Apps both aim to reduce or eliminate shared flat namespaces (Patlan et al., 21 Nov 2025). At the state-management end, StateGuard audits writeback diffs and rolls back risky edits, while SSI sanitizes traces before they enter shared state, with strong performance on conversational state but weaker performance on executable artifacts (Xu et al., 7 May 2026). At the federated-learning end, PPFPL replaces gradients with encrypted normalized prototypes and similarity-based weights, while client-side cross-validation reweights suspect sub-models using peer evaluation under non-IID-aware assignment (Zhang et al., 4 Apr 2025).

The open problems identified across these papers are closely aligned. Multi-user agent work calls for architectures that preserve legitimate collaboration while enforcing user- and task-level isolation (Patlan et al., 21 Nov 2025). Shared-state agent papers call for artifact-level defenses beyond text sanitization, adaptive writeback auditing, and evaluation on other memory architectures such as vector stores and database-backed memories (Yang et al., 1 Apr 2026). Prototype-based federated learning identifies adaptive or targeted CUP and backdoors that preserve prototype direction as an unresolved challenge, alongside the absence of formal robustness bounds analogous to Krum or Bulyan in prototype space (Zhang et al., 4 Apr 2025). Cross-app context poisoning argues that as long as unstructured natural language remains the medium of shared state, LLMs cannot serve as deterministic reference monitors over that state (Wang et al., 30 May 2026).

A consistent conclusion emerges. CUP is not a niche variant of prompt injection or a special case of federated poisoning; it is a general systems problem created whenever multiple principals write to a persistent state that a model later reuses across principal boundaries. The literature suggests that effective defenses require isolation, provenance, structured mediation, and explicit control over what kinds of state are allowed to persist—not merely better filtering of obviously malicious text.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Cross-User Poisoning (CUP).