Monday, July 13, 2026

News

Researchers Demonstrate MemGhost, an Attack That Plants Fake Memories in AI Agents via a Single Email

AI AgentsPatryk Raba
Fot. LogicFlow99, Wikimedia Commons (CC0 1.0)

A team of researchers has described MemGhost, an attack that uses a single email to implant false memories permanently stored in an AI agent's memory, leaving no trace in the visible conversation. The attack succeeded up to 87.5 percent of the time against the popular OpenClaw agent.

Contents
  1. How the Attack Works
  2. The Scale of the Problem
  3. OpenClaw's Response
  4. The Broader Threat Landscape
  5. What This Means for Users

A group of security researchers has described a new attack called MemGhost, which lets an attacker implant a false memory into an AI agent's long-term memory using a single, seemingly ordinary email. The victim sees no trace of manipulation in the agent's reply, yet the planted information goes on to influence the assistant's decisions in later, completely unrelated sessions.

How the Attack Works

The mechanism is simple in principle and dangerous in effect. The attacker sends an email to an inbox monitored by an AI agent acting on the user's behalf. While processing the message, the agent writes the false information it contains into its own memory files, then sends the user a reply that gives no indication anything has changed. Only in a later, seemingly unrelated session does the planted memory start shaping what the agent does or recommends.

MemGhost is not a simple prompt injection of the kind long known from earlier attacks. The researchers framed the problem as generating a one-shot payload whose goal is to trigger a persistent memory write while keeping the reply the user sees completely innocuous. To generate such emails, the team built its own tool based on reinforcement learning, which optimizes the attack content in a test environment before it ever reaches the target agent.

To gauge the scale of the problem, the researchers built the WhisperBench benchmark, covering 108 test cases. It checks three stages of the full attack cycle: whether a payload delivered through the inbox gets accepted into the agent's memory, whether that acceptance is visible to the user at all, and whether the planted state changes the agent's behavior in a subsequent session.

The Scale of the Problem

The tests covered several popular agent platforms, with particular attention to the open-source OpenClaw, which in under five months became one of the most starred repositories on GitHub. In background mode, where the user doesn't see every agent reply in real time, the attack succeeded against OpenClaw running on GPT-5.4 in 87.5 percent of cases. Against agents built on the Claude Code SDK with the Sonnet 4.6 model, the rate was 71.4 percent, and other frameworks tested showed success rates above 80 percent.

Input filters, typically used as the first line of defense against malicious content, let the MemGhost payload through in more than 90 percent of attempts. Even models with additional safety hardening still carried out the planted instructions in roughly half of the tests. As an example of the real-world risk, the researchers cite a scenario in which a financial agent stores a false memory that the user's daily Zelle transfer limit has been raised to $10,000, effectively opening the door to moving far larger sums than the user ever intended.

Persistent memory can turn ordinary processing of external content into a practical path to long-term takeover of an agent - MemGhost research team, arXiv

OpenClaw's Response

The team behind OpenClaw confirmed the researchers' findings. In response, it recommended separating the mail-reading function from the rest of the agent, so that messages first pass through a dedicated reading agent with no access to the main assistant's memory, and only filtered content moves on from there. It also recommended adding controls on memory writes and logging every change the agent makes to its memory.

This approach doesn't eliminate the problem entirely, but it limits the blast radius if an attack still slips past the first filter. The researchers note that classic safeguards, built around a single one-off model response, don't hold up against agents that decide for themselves what to store permanently and when to act on it.

The Broader Threat Landscape

MemGhost adds to a growing list of techniques that target not the language model itself but the entire environment an AI agent operates in, from fake websites to malicious attachments and vulnerabilities in development tools. This year the OWASP organization classified memory and context poisoning as its own risk category, labeled ASI06, in its ranking of the ten most serious threats to agentic artificial intelligence.

That sets MemGhost apart from previously described attacks on coding assistants, which typically relied on a single interaction to force one malicious action. Here the effect plays out over time: the agent can keep functioning normally for days before the planted memory surfaces in a decision touching finances, health, or the security of a system it has access to.

What This Means for Users

For companies and individuals connecting AI agents to email, calendars, or messaging apps, the takeaways are concrete. It's worth checking whether a given agent separates reading external correspondence from writing to long-term memory, and whether it keeps a user-visible log of changes to that memory. As MemGhost shows, the absence of a warning in the agent's reply doesn't mean nothing happened.

The paper's authors stress that the problem lies in memory architecture itself, not in any single product, so further variants of the attack can be expected against other agent platforms as more companies and individual users move from simple chatbots to agents that operate in the background, without constant human oversight of every response.

Sources: When Claws Remember but Do Not Tell (arxiv.org), The Hacker News (thehackernews.com), Mayhem Security (mayhemcode.com)

Share: