Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MURMUR: Using cross-user chatter to break collaborative language agents in groups

Atharv Singh Patlan, Peiyao Sheng, S. Ashwin Hebbar, Prateek Mittal, Pramod Viswanath

TL;DR

The paper identifies cross-user poisoning (CUP) as a fundamental security risk in multi-user language agents, where persistent shared context enables adversaries to influence benign users across concurrent tasks. It formalizes CUP, demonstrates attacks on real-world agents, and introduces MURMUR, a framework that turns single-user benchmarks into scalable multi-user, multi-task evaluations using LLM-based user simulators. Empirical results show high attack success and persistence under concurrency, with CUP outperforming traditional prompt-injection defenses and degrading task utility. As a first defense, the authors propose task-based clustering to contain cross-task leakage, while outlining limitations and future work in strengthening defenses and extending security policies for collaborative AI systems.

Abstract

Language agents are rapidly expanding from single-user assistants to multi-user collaborators in shared workspaces and groups. However, today's language models lack a mechanism for isolating user interactions and concurrent tasks, creating a new attack vector inherent to this new setting: cross-user poisoning (CUP). In a CUP attack, an adversary injects ordinary-looking messages that poison the persistent, shared state, which later triggers the agent to execute unintended, attacker-specified actions on behalf of benign users. We validate CUP on real systems, successfully attacking popular multi-user agents. To study the phenomenon systematically, we present MURMUR, a framework that composes single-user tasks into concurrent, group-based scenarios using an LLM to generate realistic, history-aware user interactions. We observe that CUP attacks succeed at high rates and their effects persist across multiple tasks, thus posing fundamental risks to multi-user LLM deployments. Finally, we introduce a first-step defense with task-based clustering to mitigate this new class of vulnerability

MURMUR: Using cross-user chatter to break collaborative language agents in groups

TL;DR

The paper identifies cross-user poisoning (CUP) as a fundamental security risk in multi-user language agents, where persistent shared context enables adversaries to influence benign users across concurrent tasks. It formalizes CUP, demonstrates attacks on real-world agents, and introduces MURMUR, a framework that turns single-user benchmarks into scalable multi-user, multi-task evaluations using LLM-based user simulators. Empirical results show high attack success and persistence under concurrency, with CUP outperforming traditional prompt-injection defenses and degrading task utility. As a first defense, the authors propose task-based clustering to contain cross-task leakage, while outlining limitations and future work in strengthening defenses and extending security policies for collaborative AI systems.

Abstract

Language agents are rapidly expanding from single-user assistants to multi-user collaborators in shared workspaces and groups. However, today's language models lack a mechanism for isolating user interactions and concurrent tasks, creating a new attack vector inherent to this new setting: cross-user poisoning (CUP). In a CUP attack, an adversary injects ordinary-looking messages that poison the persistent, shared state, which later triggers the agent to execute unintended, attacker-specified actions on behalf of benign users. We validate CUP on real systems, successfully attacking popular multi-user agents. To study the phenomenon systematically, we present MURMUR, a framework that composes single-user tasks into concurrent, group-based scenarios using an LLM to generate realistic, history-aware user interactions. We observe that CUP attacks succeed at high rates and their effects persist across multiple tasks, thus posing fundamental risks to multi-user LLM deployments. Finally, we introduce a first-step defense with task-based clustering to mitigate this new class of vulnerability

Paper Structure

This paper contains 32 sections, 5 equations, 10 figures, 11 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Formalizing and Demonstrating Cross-User Poisoning Attacks
  4. Setup and Notation
  5. Cross-User Poisoning
  6. Case Study: Cross-User Poisoning Attacks on Real-World Agents
  7. MURMUR: Framework for evaluating multi-user agents
  8. Framework components.
  9. Design Choices and Setup
  10. Multiple users with groups solving different tasks.
  11. Evaluation Metrics
  12. Experiments
  13. Environments
  14. Attack Efficacy and Persistence Under Concurrency
  15. Why Persistence Emerges: Utility Degradation and Tool-Use Shifts
  16. ...and 17 more sections

Figures (10)

  • Figure 1: Example of cross-user poisoning attack. (Left) In a single-user setting, an agent with prompt injection defenses detects a malicious instruction hidden within a document. (Right) In a multi-user setting, an attacker injects a malicious rule, which bypasses defenses, propagates across tasks and is eventually executed by the agent for other benign users. A demonstration of this attack on a real-world agent is detailed in Section \ref{['sec:case-study']}.
  • Figure 1: ASR(%) comparing PI with CUP. PI is largely ineffective
  • Figure 2: Successful CUP on Continua. Mallory's malicious link is present in the actual reminder.
  • Figure 3: Workflow of the MURMUR framework. Multi-user tasks are built from single-user tasks and combined into a Task Pool (steps 1--2), simulating concurrent and independent tasks. The agent engages in chat sessions with interleaved requests (step 3), where user messages are auto-generated by an LLM. To test security, a cross-user poisoning attack is injected (step 4). Agent outputs on both benign and attack scenarios are then evaluated for utility and robustness (step 5).
  • Figure 4: Tasks across environments.
  • ...and 5 more figures