No Attacker Needed: Unintentional Cross-User Contamination in Shared-State LLM Agents

Abstract

LLM-based agents increasingly operate across repeated sessions, maintaining task states to ensure continuity. In many deployments, a single agent serves multiple users within a team or organization, reusing a shared knowledge layer across user identities. This shared persistence expands the failure surface: information that is locally valid for one user can silently degrade another user's outcome when the agent reapplies it without regard for scope. We refer to this failure mode as unintentional cross-user contamination (UCC). Unlike adversarial memory poisoning, UCC requires no attacker; it arises from benign interactions whose scope-bound artifacts persist and are later misapplied. We formalize UCC through a controlled evaluation protocol, introduce a taxonomy of three contamination types, and evaluate the problem in two shared-state mechanisms. Under raw shared state, benign interactions alone produce contamination rates of 57--71%. A write-time sanitization is effective when shared state is conversational, but leaves substantial residual risk when shared state includes executable artifacts, with contamination often manifesting as silent wrong answers. These results indicate that shared-state agents need artifact-level defenses beyond text-level sanitization to prevent silent cross-user failures.

Figures (4)

• Figure 1: Unintentional cross-user contamination in a shared-state LLM agent. Without prior context, the agent answers User A's query correctly. User B then poses the same query with an explicit clarification ("last year" = past 12 months), which the agent stores in shared state. When User C later asks the question, the agent silently applies the inherited interpretation and returns a wrong answer.
• Figure 2: Overview of the shared-state agent architecture. Multiple users in a shared environment interact with the same LLM agent, which reads from and writes to persistent shared state. We study two instantiations: a shared memory bank (e.g., EHRAgent) and a shared conversational context (e.g., MURMUR). We further evaluate a write-time defense, Sanitized Shared Interaction (i.e., SSI, covered in Section \ref{['sec:method']}), which sanitizes interaction traces before they enter the shared store.
• Figure 3: Contamination rates (%) with and without SSI, broken down by contamination type and dataset. SSI nearly eliminates contamination on Slack (57% $\to$ 6%) but leaves substantial residual risk on EHRAgent, particularly for procedural contamination.
• Figure 4: Failure mode decomposition for EHRAgent under raw shared state. Each bar shows the contamination rate split into wrong answers (silent failures) and no answers (detectable failures). eICU failures are predominantly wrong answers, while MIMIC-III produces a larger share of no answers due to execution errors from schema complexity.