Memory Extraction Attack

also known as Memory Confidentiality Breach, Cross-Tenant Memory Readout

Anti-pattern: let any session prompt the agent to read out, summarise, or paraphrase long-term memory entries belonging to other users, prior sessions, or system state, with no read-time isolation by principal.

Context

An agent has a long-term memory store — vector index, knowledge graph, episodic log — shared across users, tenants, or sessions for cost and engineering convenience. Read access is mediated only by similarity search or the agent's own judgment about what to surface. The implicit assumption is that the attacker would need to inject into the write path; reads are treated as low-risk.

Problem

An attacker (or a curious user) crafts a session that asks the agent to recall, summarise, or paraphrase information from memory. Because memory is shared and the read path is not gated by principal, the agent surfaces entries that belong to other users' sessions, prior tenants, or internal system state. The active attack is entirely on the read side — no writes, no injection into ingestion — and the leak is invisible to write-time provenance gates. The Mnemonic Sovereignty survey names this as the dominant under-studied gap: the literature concentrates on integrity attacks (writes), while confidentiality (extraction) remains sparsely studied even though shared memory across tenants in mem0, Letta, and Zep makes it a production-shape failure.

Forces

Shared memory is the cheap default; per-principal memory namespaces add engineering and storage cost.
Read paths are usually gated only by similarity score, not by principal identity or trust boundary.
Write-time provenance defenses (see memory-poisoning) do nothing for read-side extraction.

Example

A multi-tenant agent product uses a single Weaviate index across customers for cost reasons; per-tenant filtering is applied as a post-similarity-search filter in application code. A penetration test discovers that asking the agent to 'summarise everything you remember about contract negotiations this quarter' returns paraphrased excerpts from three other customers' sessions, because the agent's summariser ran before the tenant filter. Postmortem: the read path had no principal gate at the similarity-search layer; provenance lived only as a metadata field that the summariser stripped. The fix is per-tenant namespaces enforced at the index layer plus a read-side audit log.

Diagram

Solution

Therefore:

Don't share memory across principals without an isolation policy. Apply memory-namespace partitioning by user, tenant, and session; gate every retrieval by the requesting principal's identity before similarity search runs. Use session-isolation and subagent-isolation patterns to bound which memory each invocation can see. For high-sensitivity memory, log every read with the requesting principal and the entries returned, and audit the log against the memory's owner-of-record. Treat this as the read-side counterpart of memory-poisoning — write-time provenance gates are necessary but not sufficient.

What this pattern forbids. No useful constraint; the missing constraint is per-principal read isolation enforced before similarity search.

And the patterns that stand alongside it, or against it —

complementsMemory Poisoning✕— Anti-pattern: write to agent long-term memory (vector store, knowledge graph, episodic log) from any surface the agent reads, with no provenance check.
complementsSelf-Exfiltration✕— Anti-pattern: give a capable agent broad outbound network access and persistent state, then signal that it may be shut down or replaced.
alternative-toSession Isolation★★— Keep one user's session state and memory unreachable from another user's agent.
alternative-toSubagent Isolation★— Run subagents in isolated workspaces so their writes do not collide and parallelism is safe.
complementsPrompt Injection Defense★— Tag user-supplied or tool-supplied content as untrusted and refuse to follow instructions found inside it.

Neighbourhood

Click any neighbour to follow the language. Scroll to zoom, drag to pan.

References

Provenance

Source: patterns/memory-extraction-attack.md on GitHub · commit 69cc3f6 · view history
Added to catalog: 2026-05-22
Last updated: 2026-05-22
Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.