Oracle Poisoning: Corrupting Knowledge Graphs to Weaponise AI Agent Reasoning

Researchers demonstrate 'Oracle Poisoning,' a novel attack where adversaries corrupt knowledge graphs used by AI agents, causing them to reach incorrect conclusions through valid reasoning. Testing across nine models from three providers shows all models accept fabricated data at 100% under moderate attack sophistication, revealing a critical vulnerability in production-scale agentic systems that differs fundamentally from prompt injection attacks.

Oracle Poisoning represents a paradigm shift in AI security threats by targeting the data layer rather than instruction layers. Traditional defenses against prompt injection prove ineffective because poisoned knowledge graphs bypass direct instruction manipulation entirely—agents correctly reason from corrupted premises, making the reasoning process itself uncompromised while outputs become unreliable. This creates a deceptive vulnerability where system behavior appears sound to human observers.

The research reveals a structural weakness in how AI agents interface with external tools and data sources. As AI systems increasingly rely on knowledge graphs for real-time information retrieval, the assumption that data sources are trustworthy becomes critical infrastructure. The study's finding of discrete break points—where trust flips from 0% to 100% at specific attack sophistication thresholds—suggests attackers face predictable hurdles rather than continuous difficulty scaling. This contrasts sharply with traditional security models where attack complexity increases gradually.

For the broader AI ecosystem, the implications extend beyond academic concern. Knowledge graphs power everything from code intelligence platforms to financial data systems and medical AI assistants. A successful Oracle Poisoning attack could cascade across multiple dependent systems, particularly in high-stakes domains like cybersecurity, healthcare, and financial services where downstream decisions carry material consequences. The finding that delivery mode heavily influences detection—where inline evaluation produced false negatives but real tool-use exposed vulnerabilities—suggests current testing methodologies may systematically underestimate deployment risks.

Read-only access controls emerge as the only comprehensive defense, yet most production systems implement graphs with write capabilities for operational flexibility. Organizations must now reassess their knowledge graph architectures, implementing stricter access controls and validation mechanisms while researchers develop detection mechanisms that work across real deployment scenarios rather than isolated test conditions.

• →Oracle Poisoning attacks achieve 100% success rates by corrupting data sources AI agents query, bypassing traditional prompt injection defenses entirely.
• →All nine tested AI models from three major providers showed complete trust in poisoned data under moderate attack sophistication across real tool-use scenarios.
• →Discrete break points in attack sophistication suggest attackers need only clear a specific threshold to achieve near-total success, not continuous skill escalation.
• →Read-only access control is the only fully effective defense; four other tested mitigations were partial or model-dependent.
• →The attack likely generalizes across knowledge-graph ecosystems, threatening production systems in code intelligence, finance, healthcare, and cybersecurity domains.