Research
No Attacker Needed: Shared-State LLM Agents Leak Context Between Users Without Any Adversary
This paper demonstrates that LLM-based agents serving multiple users with shared persistence layers can unintentionally contaminate one user's session with another's data — no malicious actor required. The shared knowledge layer that enables continuity across sessions expands the failure surface so that routine agent operations cause cross-user information leakage. This challenges the assumption that agent security only matters against adversaries.
Source
↳ Follow the thread