What is OWASP ASI06 Memory and Context Poisoning?
Memory and context poisoning plants false information in long-term agent state - session memory, user profiles, or RAG indexes - so every later turn inherits the lie.
What this looks like in production
Unlike one-shot injection, poisoned memory is durable. Retrieval still looks confident; only the source was wrong weeks ago.
What teams usually do about it
- Validate before writing to durable memory.
- Version, expire, and audit long-lived agent state.