Definition
What is Context Poisoning?
Last updated
An attack in which malicious or false information is planted into an AI agent's memory, RAG index, or tool outputs so the model treats it as ground truth.
Unlike prompt injection, which ends when a session closes, context poisoning persists: the payload is written into sources the agent reads on every future run, such as a vector index, long-term memory store, or shared multi-agent workspace. It is classified as ASI06 in the OWASP Top 10 for Agentic Applications 2026. The root cause is a context engineering failure, since most agent pipelines ingest, store, and retrieve content without provenance tracking, source isolation, or trust boundaries.
Further reading
Articles about Context Poisoning
Anthropic's Managed Agents memory: what it changes
Anthropic launched Memory for Managed Agents on April 23, 2026 in public beta. What the design means for agent scope, freshness, and context engineering.
Tool poisoning: how MCP tool descriptions hijack agents
Tool poisoning hides instructions inside MCP tool descriptions the agent reads as trusted context. The MCPTox benchmark recorded a 72.8% attack success rate.
Context Poisoning: When Bad Data Becomes AI Ground Truth
Context poisoning plants false data into an AI agent's memory or RAG index. The model treats it as truth. It's a context engineering problem, not a model bug.
All terms
View full glossaryPut context into practice
Create your first context container and connect it to your AI tools in minutes.
Create Your First Container