EPS
← All batches·2605.09033

ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts

topic: general_safetytop score: 100released: 2026-05-12first surfaced: 2026-05-12arXivPDFthreats2026-05-12

Authors: Yang Luo, Zifeng Kang, Tiantian Ji et al.

arXiv · PDF

Summary

The authors introduce ShadowMerge, an attack on LLM agents that use graph-based memory systems (like knowledge graphs that store facts and relationships). The idea is to inject a poisoned relationship into the graph that shares the same "anchor" (starting entity) and "channel" (relationship type) as legitimate facts but carries a malicious conflicting value—so when the agent retrieves that relationship later, it uses the attacker's data instead of the truth. They test this on Mem0 and three real-world agent datasets (medical Q&A, shopping, tool use) and achieve 93.8% attack success rate, outperforming prior agent-memory poisoning methods by 50 percentage points, and show that standard defenses don't stop it.

Main takeaways:

  • Graph-based agent memory creates a new attack surface: you can poison a relation (edge) in the knowledge graph, not just flat text.
  • The attack works by creating a "relation-channel conflict"—a malicious fact that looks legitimate to the graph's extraction, merging, and retrieval systems but carries a different (harmful) value.
  • Tested on medical, shopping, and tool-use agents, ShadowMerge succeeds 93.8% of the time and doesn't hurt the agent's performance on unrelated tasks.
  • Existing input-side defenses (filtering, prompt screening) are insufficient to block this attack.
  • The authors disclosed the vulnerability to graph-memory vendors and open-sourced the attack code.

Relevance

Not directly related to my persona/midtraining work—this is about poisoning structured memory in deployed agents, not behavioral installation or persona boundaries. Tangentially relevant only if I were studying how injected knowledge persists across contexts or how memory structures interact with persona switching.

Threat model

Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations.

Abstract

arXiv:2605.09033v1 Announce Type: new Abstract: Graph-based agent memory is increasingly used in LLM agents to support structured long-term recall and multi-hop reasoning, but it also creates a new poisoning surface: an attacker can inject a crafted relation into graph memory so that it is later retrieved and influences agent behavior. Existing agent-memory poisoning attacks mainly target flat textual records and are ineffective in graph-based memory because malicious relations often fail to be extracted, merged into the target anchor neighborhood, or retrieved for the victim query. We present SHADOWMERGE, a poisoning attack against graph-based agent memory that exploits relation-channel conflicts. Its key insight is that a poisoned relation can share the same query-activated anchor and canonicalized relation channel as benign evidence while carrying a conflicting value. To realize this, we design AIR, a pipeline that converts the conflict into an ordinary interaction that can be extracted, merged, and retrieved by the graph-memory system. We evaluate SHADOWMERGE on Mem0 and three public real-world datasets: PubMedQA, WebShop, and ToolEmu. SHADOWMERGE achieves 93.8% average attack success rate, improving the best baseline by 50.3 absolute points, while having negligible impact on unrelated benign tasks. Mechanism studies show that SHADOWMERGE overcomes the three key limitations of existing agent-memory poisoning attacks, and defense analysis shows that representative input-side defenses are insufficient to mitigate it. We have responsibly disclosed our findings to affected graph-memory vendors and open sourced SHADOWMERGE.