No Attacker Needed: Unintentional Cross-User Contamination in Shared-State LLM Agents

TL;DR

This paper investigates unintentional cross-user contamination in shared-state LLM agents, revealing high contamination rates and emphasizing the need for artifact-level defenses to prevent silent failures.

Contribution

It formalizes UCC, introduces a taxonomy of contamination types, and evaluates the problem across shared-state mechanisms, highlighting the limitations of current sanitization methods.

Findings

Benign interactions cause 57-71% contamination in shared state.

Sanitization reduces contamination in conversational shared state.

Silent wrong answers often result from residual contamination.

Abstract

LLM-based agents increasingly operate across repeated sessions, maintaining task states to ensure continuity. In many deployments, a single agent serves multiple users within a team or organization, reusing a shared knowledge layer across user identities. This shared persistence expands the failure surface: information that is locally valid for one user can silently degrade another user's outcome when the agent reapplies it without regard for scope. We refer to this failure mode as unintentional cross-user contamination (UCC). Unlike adversarial memory poisoning, UCC requires no attacker; it arises from benign interactions whose scope-bound artifacts persist and are later misapplied. We formalize UCC through a controlled evaluation protocol, introduce a taxonomy of three contamination types, and evaluate the problem in two shared-state mechanisms. Under raw shared state, benign interactions alone produce contamination rates of 57--71%. A write-time sanitization is effective when shared state is conversational, but leaves substantial residual risk when shared state includes executable artifacts, with contamination often manifesting as silent wrong answers. These results indicate that shared-state agents need artifact-level defenses beyond text-level sanitization to prevent silent cross-user failures.