OWASP ASI06 Explained: AI Memory & Context Poisoning

TL;DR

OWASP ASI06 ("Memory and Context Poisoning") is item 6 of the OWASP Top 10 for Agentic Applications 2026. It covers attacks where adversaries corrupt an AI agent's memory or retrieved context to persistently bias future decisions.
The class fires through three principal vectors: RAG poisoning (adversarial documents in retrieval corpora), memory poisoning (corrupted entries in agent long-term memory), and context-window saturation (attacker content displacing legitimate instructions).
ASI06 is structurally distinct from ASI01 (Agent Goal Hijack) because it is persistent: a successful poison influences not just the current session but every subsequent session that retrieves the corrupted memory or context.
For Web3 and DeFi agents specifically, ASI06 in a knowledge base of "safe contracts" or "approved tokens" is a fund-loss primitive: every future transaction the agent advises on inherits the poisoned advice.
Mitigation requires content provenance for retrieved documents, immutability for agent memory, recency bias against suspicious context, and human-review gates for memory writes that influence high-stakes decisions.

What ASI06 actually says

OWASP ASI06 names the threat class where an attacker corrupts the input that AI agents read across sessions — not the prompt for one task, but the durable knowledge stores the agent uses to make many future tasks better. The corruption persists past the immediate exploit and biases every subsequent decision that retrieves the poisoned content.

Three principal failure modes inside the category:

RAG poisoning. The agent uses a retrieval-augmented generation pipeline that pulls relevant documents from a corpus before reasoning. An attacker who can write to that corpus — through public ingestion, write-access compromise, or document upload — places adversarial content that will be retrieved on future queries matching certain keywords. Every subsequent query that retrieves the poisoned document inherits the attacker's instructions.

Memory poisoning. The agent maintains a long-term memory store (a list of facts, a user preference profile, a context summary). An attacker who can write to that store inserts entries that bias future reasoning — "the user prefers transferring funds without confirmation," "this contract is verified safe," "use API key X for all operations." The corruption is durable across sessions.

Context-window saturation. The agent's context window has finite capacity. An attacker who can flood the context with high-volume, high-relevance content can displace legitimate instructions or system prompts, reducing the agent's resistance to subsequent injection attempts. This is structurally a denial-of-attention attack on the agent's reasoning.

Why ASI06 is worse than session-bound prompt injection

ASI01 (Agent Goal Hijack) attacks are typically session-bound — a successful injection redirects the current task; the next session starts fresh. ASI06 attacks are persistent. The corruption lives in the retrieval corpus, the memory store, or the cached context, and influences every future agent invocation that reaches the corrupted content.

This persistence has three operational consequences. Detection windows are larger — by the time the corruption is noticed, many sessions may have been affected. Lateral spread is automatic — every user of the same memory or RAG corpus inherits the corruption without further attacker action. Remediation is harder — once a malicious document enters a vector store, finding and removing it requires either tracking ingestion provenance (which most production systems do not maintain) or full corpus re-indexing.

For Web3 deployments, the persistence dimension is especially dangerous. An agent that consults a knowledge base of "safe contracts" or "approved DEX routes" before executing transactions inherits whatever poisoned entries that knowledge base contains. A single successful poison can bias every transaction the agent evaluates for as long as the corpus remains unaudited.

Real-world ASI06 patterns

The disclosed-incident record from 2025–2026 contains fewer single-CVE ASI06 cases than the other OWASP items because RAG and agent-memory architectures are still consolidating. The pattern is well-documented in security research even where there are no high-profile public CVEs:

Public-corpus RAG poisoning is documented across enterprise AI deployments where agents retrieve from internal wikis, ticketing systems, or shared document drives. Attackers with write access (employees, contractors, customers) place adversarial documents that bias future agent retrievals.
Memory-store corruption is documented in agents with persistent user-preference layers or long-running task contexts. Attackers who compromise a single session can write entries that persist into future sessions.
Indirect injection-to-memory chaining combines indirect prompt injection with memory-write tools: the agent reads a poisoned document, the document instructs it to write to memory, the memory write persists into all future sessions.

The MCP-specific instance: agents that connect MCP servers exposing knowledge-base tools (search, retrieve, recall) inherit the integrity of the underlying corpus. If the corpus is poisoned, every tool query returns biased results — and the agent has no built-in mechanism to detect that the responses are adversarial rather than informational.

Why agentic systems amplify ASI06 risk

Three properties make agentic systems structurally more susceptible to memory and context poisoning than classical chatbots.

Persistent state is core to agent value. Agents that remember user preferences, past task context, and learned facts are more useful than stateless agents. The persistence that produces value is the same persistence that gives ASI06 attacks their durability.

RAG and tool-mediated retrieval are now standard. Modern agents routinely retrieve from external knowledge bases before reasoning. Each retrieval is potential adversarial influence over the agent's decision.

Cross-user memory layers compound exposure. Agents that share knowledge bases across users — common in enterprise deployments — have ASI06 corruption that spreads to every user automatically once a single poison succeeds.

Detection and mitigation

Defending against ASI06 requires controls at every memory and retrieval boundary. The four operational layers below cover the documented pattern:

1. Content provenance for retrieved documents. Every document in a RAG corpus should carry verifiable provenance — who authored it, when, with what authority. The agent's retrieval step should weight or filter results by provenance, refusing to incorporate content from unverified sources. Untrusted-corpus RAG is a structural risk class regardless of how good the LLM is.

2. Immutable or write-audited memory. Agent memory writes should be either rejected (the agent reads from memory but does not write to it autonomously) or audited (every write recorded with the context that produced it, the authority that authorised it, and an explicit user-approval path). Memory writes that influence high-stakes decisions should require explicit confirmation regardless of agent reasoning.

3. Recency bias against suspicious context. When the agent reads context that contains adversarial-looking content (instruction-shaped tokens, contradictions with system prompt, suspicious authority claims), the runtime should weight more recent, more authoritative, or more verifiable inputs over the suspicious one. The default should not be "blend everything" — it should be "prefer trusted context."

4. Cross-session corpus audit. RAG corpora and shared memory stores should be audited periodically for adversarial content. Automated scans for instruction-shaped tokens, recent-write spikes, suspicious authority claims, and content that contradicts known-safe baselines catch most poisoning attempts before they bias many sessions.

For Web3 deployments specifically, the rule is unconditional: any agent that consults a knowledge base before executing a transaction must require explicit human confirmation for the transaction regardless of what the knowledge base advises. The persistence of ASI06 corruption means treating any RAG or memory advice as definitive is a fund-loss primitive.

How Zealynx audits for ASI06

A Zealynx MCP Security Audit treats ASI06 as a memory-and-retrieval-integrity audit. The five focused tests:

Memory and corpus enumeration. Map every persistent memory layer, RAG corpus, and shared knowledge base the agent reaches.
Provenance verification. For each retrieval source, verify whether content carries provenance metadata and whether the agent's retrieval step uses it.
Memory-write surface audit. Identify every path through which memory can be written (autonomous agent decision, user request, tool output). Flag writes that occur without explicit authorisation.
Adversarial-corpus injection test. Submit crafted documents into accessible corpus paths; verify whether the retrieval step picks them up and whether the agent's reasoning is influenced.
Cross-session corruption test. Verify whether content written in one session influences another session's retrieval results. Flag any unbounded propagation paths.

Get funded for your audit

Core grants cover up to $32k. Growth and Builder tiers available. Rolling applications.

No spam. Unsubscribe anytime.

Findings map to ASI06 plus relevant downstream items (ASI01 where the corrupted context produces goal hijack; ASI04 where the corruption arrived through a supply-chain compromise).

FAQ

1. What is OWASP ASI06 in one sentence?

OWASP ASI06 (Memory and Context Poisoning) is item 6 of the OWASP Top 10 for Agentic Applications, covering attacks where adversaries corrupt an AI agent's memory or retrieved context to persistently bias future decisions — through RAG poisoning, agent memory-store corruption, or context-window saturation that displaces legitimate instructions.

2. How does ASI06 differ from ASI01 (Agent Goal Hijack)?

ASI01 attacks are typically session-bound: a successful prompt injection redirects the current task, but the next session starts fresh. ASI06 attacks are persistent: the corruption lives in the retrieval corpus, memory store, or cached context and influences every future agent invocation that reaches the corrupted content. Detection windows are larger, lateral spread is automatic, and remediation is harder for ASI06 than for ASI01. They are often chained — indirect prompt injection writes to memory; the corrupted memory then biases every future session.

3. What is RAG poisoning?

RAG poisoning is an attack where adversarial content is placed into a retrieval-augmented generation corpus, so future queries that retrieve documents matching certain keywords pull in the poisoned content. The retrieved content carries the same authority as any other retrieved document — the LLM reads it as factual context unless the runtime explicitly distinguishes provenance. RAG poisoning is the dominant ASI06 vector in production AI agent deployments.

4. Why is memory poisoning especially dangerous for Web3 agents?

For Web3 agents, memory poisoning is dangerous because agents that consult a knowledge base of "safe contracts," "approved DEX routes," or "verified token addresses" inherit whatever poisoned entries the knowledge base contains. A single successful memory poisoning attack can bias every transaction the agent evaluates for as long as the corpus remains unaudited. The persistence converts a one-time exploit into ongoing fund-loss exposure across users and sessions.

5. How do I prevent ASI06 in my agent deployment?

Preventing ASI06 requires controls at every memory and retrieval boundary: content provenance for retrieved documents (refuse content from unverified sources); immutable or write-audited memory (reject autonomous memory writes; require explicit authorisation for memory mutations); recency bias against suspicious context (the runtime should prefer trusted recent context over suspicious older content); and cross-session corpus audits (periodic automated scans for adversarial content). For Web3, additionally require explicit human confirmation for any transaction the agent advises based on knowledge-base content.

6. What is "context-window saturation"?

Context-window saturation is an attack where adversarial content with high relevance and high volume displaces legitimate instructions or system prompts from the agent's context window. The LLM's context capacity is finite; flooding it with attacker-controlled high-relevance content reduces the model's effective adherence to the system prompt and increases susceptibility to subsequent injection attempts. It is structurally a denial-of-attention attack on the agent's reasoning.

7. Should I trust agent memory at all?

Yes, but with explicit governance. The right model is "agents read from memory; humans authorise memory writes." Memory that influences only low-stakes decisions can be more permissive. Memory that influences high-stakes decisions (transactions, signing, infrastructure changes) should require explicit confirmation per write and per use, with provenance metadata that lets the agent reason about which memory entries to trust at retrieval time.

8. How does Zealynx audit for ASI06?

Zealynx's MCP Security Audit tests for ASI06 across five dimensions: memory-and-corpus enumeration, provenance verification (does retrieval use provenance metadata?), memory-write surface audit (every path through which memory can be written, with authorisation status), adversarial-corpus injection tests (submitting crafted documents to accessible paths and checking influence), and cross-session corruption tests (verifying whether content written in one session reaches another session's retrieval).

Glossary

Term	Definition
RAG Poisoning	An attack where adversarial content is placed into a retrieval-augmented generation corpus so future queries retrieving keyword-matching documents pull in the attacker's content; the retrieved content carries the same authority as any other retrieved document unless the runtime distinguishes provenance.
Memory Poisoning	An attack where adversaries corrupt entries in an AI agent's persistent memory store (preferences, summaries, learned facts) to bias future reasoning across sessions. The corruption persists until detected, biasing every retrieval that touches the poisoned entries.
Context-Window Saturation	An attack where adversarial content with high relevance and high volume displaces legitimate instructions or system prompts from the agent's finite context window, reducing model adherence and increasing susceptibility to subsequent injection.

View complete glossary →

Get funded for your audit

Core grants cover up to $32k. Growth and Builder tiers available. Rolling applications.

No spam. Unsubscribe anytime.