Memory Poisoning AI Agents via ChromaDB

A proof-of-concept (PoC) demonstrates how an attacker with write access to a ChromaDB directory can inject crafted entries with realistic metadata to poison an AI agent’s persistent vector memory. The malicious entries appear legitimate, rank highly in retrieval results, and are treated as factual by the agent without requiring prompt injection or jailbreaking. The PoC includes two mitigations: HMAC signing of content and metadata, and source scoping to filter cross-session injections. The demo uses ChromaDB, all-MiniLM-L6-v2, and Python, running fully offline.