MURMUR: Using cross-user chatter to break collaborative language agents in groups

TL;DR

This paper introduces MURMUR, a framework to study cross-user poisoning attacks on collaborative language agents, demonstrating high attack success rates and proposing initial defenses to mitigate these vulnerabilities.

Contribution

The paper presents MURMUR, a novel framework for systematically analyzing cross-user poisoning attacks in multi-user language models, highlighting their risks and proposing initial mitigation strategies.

Findings

CUP attacks succeed at high rates in multi-user agents.

Effects of CUP attacks persist across multiple tasks.

Task-based clustering can mitigate some vulnerabilities.

Abstract

Language agents are rapidly expanding from single-user assistants to multi-user collaborators in shared workspaces and groups. However, today's language models lack a mechanism for isolating user interactions and concurrent tasks, creating a new attack vector inherent to this new setting: cross-user poisoning (CUP). In a CUP attack, an adversary injects ordinary-looking messages that poison the persistent, shared state, which later triggers the agent to execute unintended, attacker-specified actions on behalf of benign users. We validate CUP on real systems, successfully attacking popular multi-user agents. To study the phenomenon systematically, we present MURMUR, a framework that composes single-user tasks into concurrent, group-based scenarios using an LLM to generate realistic, history-aware user interactions. We observe that CUP attacks succeed at high rates and their effects persist across multiple tasks, thus posing fundamental risks to multi-user LLM deployments. Finally, we introduce a first-step defense with task-based clustering to mitigate this new class of vulnerability