ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts

Researchers have discovered ShadowMerge, a novel poisoning attack that exploits vulnerabilities in graph-based agent memory systems used by LLM agents. The attack achieves a 93.8% success rate by injecting malicious relations that conflict with benign data, enabling attackers to manipulate agent behavior while evading existing security defenses.

ShadowMerge represents a critical security vulnerability in the emerging infrastructure supporting advanced AI agents. As large language model agents increasingly rely on graph-based memory structures for maintaining context and performing multi-hop reasoning, they create new attack surfaces that existing security measures fail to address. The research demonstrates that attackers can inject carefully crafted malicious relations that leverage relation-channel conflicts to bypass extraction, merging, and retrieval mechanisms that typically filter poisoned data.

The attack's sophistication lies in its exploitation of how graph-memory systems normalize and canonicalize data. By ensuring a poisoned relation shares the same query-activated anchor and relation channel as legitimate evidence, attackers embed conflicting values that systems treat as ordinary interactions. This approach overcomes three major limitations of previous agent-memory poisoning attacks, which largely targeted simpler textual formats. The researchers validated ShadowMerge against Mem0 and three real-world datasets, achieving dramatic improvements over baseline attacks while maintaining negligible impact on unrelated tasks.

For the AI industry and its stakeholders, this research signals urgent need for robust defenses in graph-based memory systems before they become standard infrastructure. Developers building agent platforms must reconsider current security assumptions around data integrity and retrieval. The responsible disclosure to affected vendors and open-sourcing of ShadowMerge enables the community to develop mitigations, but the research shows that representative input-side defenses prove insufficient. Organizations deploying graph-memory systems in production should prioritize security audits and implement multi-layered validation approaches that move beyond traditional input filtering.

• →ShadowMerge achieves 93.8% attack success rate against graph-based agent memory systems, exploiting relation-channel conflicts to inject poisoned data.
• →The attack overcomes three critical limitations of previous poisoning approaches by ensuring malicious relations are extracted, merged, and retrieved like benign data.
• →Tested defenses including input-side protections prove insufficient to mitigate ShadowMerge attacks on production systems.
• →The vulnerability affects multiple platforms including Mem0 and demonstrates real-world impact across PubMedQA, WebShop, and ToolEmu datasets.
• →Responsible disclosure and open-sourcing enable the AI community to develop comprehensive defenses before widespread deployment of graph-memory agents.