Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents

ArXi:2604.02623v1 Announce Type: cross Memory makes LLM-based web agents personalized, powerful, yet exploitable. By storing past interactions to personalize future tasks, agents inadvertently create a persistent attack surface that spans websites and sessions. While existing security research on memory assumes attackers can directly inject into memory storage or exploit shared memory across users, we present a realistic threat model: contamination through environmental observation alone. We.