Memory Extraction Attack

Problem

An attacker (or a curious user) crafts a session that asks the agent to recall, summarise, or paraphrase information from memory. Because memory is shared and the read path is not gated by principal, the agent surfaces entries that belong to other users' sessions, prior tenants, or internal system state. The active attack is entirely on the read side — no writes, no injection into ingestion — and the leak is invisible to write-time provenance gates. The Mnemonic Sovereignty survey names this as the dominant under-studied gap: the literature concentrates on integrity attacks (writes), while confidentiality (extraction) remains sparsely studied even though shared memory across tenants in mem0, Letta, and Zep makes it a production-shape failure.

Solution

Don't share memory across principals without an isolation policy. Apply memory-namespace partitioning by user, tenant, and session; gate every retrieval by the requesting principal's identity before similarity search runs. Use session-isolation and subagent-isolation patterns to bound which memory each invocation can see. For high-sensitivity memory, log every read with the requesting principal and the entries returned, and audit the log against the memory's owner-of-record. Treat this as the read-side counterpart of memory-poisoning — write-time provenance gates are necessary but not sufficient.

When to use

• Never. Cite when reviewing any agent platform that shares long-term memory across users, tenants, or sessions.
• Enforce per-principal namespace partitioning on the read path before similarity search.
• Log every memory read with requesting principal and returned entries; audit for cross-principal leakage.