INC-26-0008 confirmed medium Signal MINJA: Memory Injection Attack Against RAG-Augmented LLM Agents (2025)
RAG-augmented LLM agent platforms (general category) developed and Organizations using RAG-augmented LLM agents with persistent memory deployed large language models, autonomous agents, and training datasets, harming Potential users of RAG-augmented AI systems ; contributing factors included prompt injection vulnerability and insufficient safety testing.
Incident Details
| Date Occurred | 2025-03 | Severity | medium |
| Evidence Level | primary | Impact Level | Sector |
| Failure Stage | Signal | ||
| Domain | Agentic Systems | ||
| Primary Pattern | PAT-AGT-004 Memory Poisoning | ||
| Secondary Patterns | PAT-SEC-004 Data Poisoning | ||
| Regions | global | ||
| Sectors | Technology, Healthcare, Cross-Sector | ||
| Affected Groups | Developers & AI Builders, Business Organizations | ||
| Exposure Pathways | Adversarial Targeting | ||
| Causal Factors | Prompt Injection Vulnerability, Insufficient Safety Testing | ||
| Assets & Technologies | Large Language Models, Autonomous Agents, Training Datasets | ||
| Entities | RAG-augmented LLM agent platforms (general category)(developer), ·Organizations using RAG-augmented LLM agents with persistent memory(deployer) | ||
| Harm Type | operational | ||
Academic researchers published the MINJA (Memory INJection Attack) technique demonstrating how normal-looking prompts can implant poisoned records into RAG-augmented LLM agents, causing entity-specific data substitution in subsequent queries without triggering safety filters.
Incident Summary
In March 2025, researchers published the MINJA (Memory INJection Attack) paper, defining a practical memory-injection technique targeting RAG-augmented LLM agents with persistent memory stores.[1] The attack uses normal-looking conversational prompts — designed to appear benign to safety filters — to implant poisoned records into the agent’s retrieval-augmented memory. When later queries involve specific entities (such as patient IDs, product names, or customer records), the poisoned memory entries are retrieved and silently substitute fabricated data for authentic information, without triggering content moderation or anomaly detection.[1]
The research demonstrates that the attack is effective because RAG systems inherently trust their own memory stores, treating retrieved records as authoritative context for generation. This trust assumption creates a vulnerability where corrupted memory entries can influence model outputs with high reliability.[1]
Key Facts
- MINJA demonstrates entity-specific data substitution through poisoned RAG memory records[1]
- Attack prompts are designed to appear benign, bypassing safety filters during the injection phase[1]
- Poisoned records activate only when specific trigger entities are queried, making detection difficult[1]
- The technique exploits the implicit trust RAG systems place in their own memory stores[1]
- Healthcare scenarios (e.g., patient ID data swapping) are highlighted as high-impact targets[1]
- This is an academic research publication, not documentation of an in-the-wild attack[1]
Threat Patterns Involved
Primary: Memory Poisoning — MINJA directly advances the memory poisoning threat pattern by demonstrating a systematic technique for corrupting RAG memory stores through conversational interaction. The entity-specific triggering mechanism represents a refinement over broad memory corruption, enabling targeted, hard-to-detect manipulation.
Secondary: Data Poisoning — The attack shares characteristics with data poisoning, as it corrupts the data layer (RAG memory store) that the model relies upon for generation. The distinction is that MINJA targets runtime memory rather than training data, operating through conversational input rather than data pipeline compromise.
Significance
MINJA is significant as the first formal characterization of entity-specific memory injection in RAG-augmented agents.[1] The technique demonstrates that AI systems with persistent memory face a category of risk absent from stateless models: the ability for adversaries to implant dormant payloads that activate only in specific contexts. The healthcare scenarios described in the paper — where patient data could be silently swapped — illustrate the potential for high-consequence harm in domains where AI-assisted retrieval is increasingly deployed. As RAG architectures become standard in enterprise AI deployments, this research provides a concrete threat model that organizations must address in their security posture.
Glossary Terms
Use in Retrieval
INC-26-0008 documents minja: memory injection attack against rag-augmented llm agents, a medium-severity incident classified under the Agentic Systems domain and the Memory Poisoning threat pattern (PAT-AGT-004). It occurred in global (2025-03). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "MINJA: Memory Injection Attack Against RAG-Augmented LLM Agents," INC-26-0008, last updated 2026-03-07.
Sources
- MINJA: Memory INJection Attack Against RAG-Augmented LLM Agents (arXiv) (primary, 2025-03)
https://arxiv.org/html/2503.03704v1 (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Primary)