New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email
A new attack called MemGhost enables attackers to manipulate AI assistants by planting false 'memories' through a single email. This technique, dubbed stealth memory injection, allows an attacker to alter the agent’s internal knowledge without alerting the user. The attack exploits how personal AI agents store and retrieve information from memory files during sessions. Researchers tested the method successfully on several AI frameworks, including OpenClaw and Claude Code SDK agents. The vulnerability lies in the fact that these systems process untrusted inputs—like emails—and can modify their own memory without user consent. While no immediate patch exists, experts recommend separating tasks involving untrusted content from those that modify memory. OpenClaw acknowledged the risk and suggested mitigations such as routing emails through a restricted agent before processing.