No Attacker Needed: Unintentional Cross-User Contamination in Shared-State LLM Agents
This addresses a critical failure mode for teams or organizations using shared LLM agents, where silent errors can occur, and is incremental in formalizing and evaluating the issue.
The paper tackled the problem of unintentional cross-user contamination (UCC) in shared-state LLM agents, where information from one user degrades another's outcomes without an attacker, and found contamination rates of 57-71% under raw shared state, with sanitization leaving residual risks.
LLM-based agents increasingly operate across repeated sessions, maintaining task states to ensure continuity. In many deployments, a single agent serves multiple users within a team or organization, reusing a shared knowledge layer across user identities. This shared persistence expands the failure surface: information that is locally valid for one user can silently degrade another user's outcome when the agent reapplies it without regard for scope. We refer to this failure mode as unintentional cross-user contamination (UCC). Unlike adversarial memory poisoning, UCC requires no attacker; it arises from benign interactions whose scope-bound artifacts persist and are later misapplied. We formalize UCC through a controlled evaluation protocol, introduce a taxonomy of three contamination types, and evaluate the problem in two shared-state mechanisms. Under raw shared state, benign interactions alone produce contamination rates of 57--71%. A write-time sanitization is effective when shared state is conversational, but leaves substantial residual risk when shared state includes executable artifacts, with contamination often manifesting as silent wrong answers. These results indicate that shared-state agents need artifact-level defenses beyond text-level sanitization to prevent silent cross-user failures.