« All posts

MemGhost: One Email Can Permanently Poison an AI Agent's Memory

MemGhost attack lets a single email permanently poison AI agent memory, exposing gaps in how agent write-authorization is designed.

A new attack called MemGhost uses a single hidden instruction, embedded in an email, to convince an AI agent to rewrite its own persistent memory — for example, raising a Zelle transfer limit. Once written, that false data becomes 'fact' for every future interaction. The attack doesn't break input filters or authorization boundaries; it simply uses the agent's own legitimate memory-write tool as intended, which is why it succeeds against frontier models at an 87.5% rate.

The real fix isn't smarter prompt classifiers — it's treating memory writes with the same rigor as financial transactions: provenance checks, human confirmation for sensitive fields, and strict limits on what write tools can touch. Trust level of source content must be separated from trust level of the action taken. For security teams, 'we have input filtering' is no longer a control, just a talking point. The open question: will rollback and audit mechanisms become a hard requirement before shipping persistent memory, or will the industry patch this only after a real-world incident makes headlines?