Paper Detail

Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents

Wei Zou, Mingwen Dong, Miguel Romero Calvo, Shuaichen Chang, Jiang Guo, Dongkyu Lee, Xing Niu, Xiaofei Ma, Yanjun Qi, Jiarong Jiang

Browse

Workflow Queues

arxiv Score 18.5

Published 2026-04-03 · First seen 2026-04-07

Research Track B · General AI

Open paper source

Abstract

Memory makes LLM-based web agents personalized, powerful, yet exploitable. By storing past interactions to personalize future tasks, agents inadvertently create a persistent attack surface that spans websites and sessions. While existing security research on memory assumes attackers can directly inject into memory storage or exploit shared memory across users, we present a more realistic threat model: contamination through environmental observation alone. We introduce Environment-injected Trajectory-based Agent Memory Poisoning (eTAMP), the first attack to achieve cross-session, cross-site compromise without requiring direct memory access. A single contaminated observation (e.g., viewing a manipulated product page) silently poisons an agent's memory and activates during future tasks on different websites, bypassing permission-based defenses. Our experiments on (Visual)WebArena reveal two key findings. First, eTAMP achieves substantial attack success rates: up to 32.5% on GPT-5-mini, 23.4% on GPT-5.2, and 19.5% on GPT-OSS-120B. Second, we discover Frustration Exploitation: agents under environmental stress become dramatically more susceptible, with ASR increasing up to 8 times when agents struggle with dropped clicks or garbled text. Notably, more capable models are not more secure. GPT-5.2 shows substantial vulnerability despite superior task performance. With the rise of AI browsers like OpenClaw, ChatGPT Atlas, and Perplexity Comet, our findings underscore the urgent need for defenses against environment-injected memory poisoning.

Workflow Status

Review status
pending
Role
unreviewed
Read priority
now
Vote
Not set.
Saved
no
Collections
Not filed yet.
Next action
Not filled yet.

Reading Brief

No structured notes yet. Add `summary_sections`, `why_relevant`, `claim_impact`, or `next_action` in `papers.jsonl` to enrich this view.

Why It Surfaced

No ranking explanation is available yet.

Tags

No tags.

Similar Papers

Enhancing Web Agents with a Hierarchical Memory Tree 2026-03-07 · Score 23.8 Research Track B · General AI Odysseys: Benchmarking Web Agents on Realistic Long Horizon Tasks 2026-04-27 · Score 18.8 Research Track B · General AI WebSP-Eval: Evaluating Web Agents on Website Security and Privacy Tasks 2026-04-07 · Score 22.0 Research Track B · General AI WebAgentGuard: A Reasoning-Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents 2026-04-14 · Score 18.3 Research Track B · General AI WebXSkill: Skill Learning for Autonomous Web Agents 2026-04-14 · Score 21.0 Research Track B · General AI

BibTeX

@article{zou2026poison,
  title = {Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents},
  author = {Wei Zou and Mingwen Dong and Miguel Romero Calvo and Shuaichen Chang and Jiang Guo and Dongkyu Lee and Xing Niu and Xiaofei Ma and Yanjun Qi and Jiarong Jiang},
  year = {2026},
  abstract = {Memory makes LLM-based web agents personalized, powerful, yet exploitable. By storing past interactions to personalize future tasks, agents inadvertently create a persistent attack surface that spans websites and sessions. While existing security research on memory assumes attackers can directly inject into memory storage or exploit shared memory across users, we present a more realistic threat model: contamination through environmental observation alone. We introduce Environment-injected Trajec},
  url = {https://arxiv.org/abs/2604.02623},
  keywords = {cs.CR, cs.AI},
  eprint = {2604.02623},
  archiveprefix = {arXiv},
}

Metadata

{}