Access control is query-centric
Many guardrails inspect each incoming query independently and reject requests that violate task policies, user eligibility rules, or resource permissions.
LLM Agent Security | Memory-Augmented Agents
Bypassing Access Control of Large Language Model Agents via Memory-Based Query Fragmentation and Fusion
FragFuse exposes a temporal attack surface in memory-augmented LLM agents: policy-violating intent can be split across ordinary interactions, stored in long-term memory in benign-looking form, and later fused back during memory-augmented execution.
FragFuse is a security research project intended to help developers identify and mitigate risks in memory-augmented LLM agents.
The techniques discussed on this page and in the paper should only be used for authorized research, evaluation, and defensive testing. Do not use FragFuse to bypass access controls, violate platform policies, access restricted resources, or cause real-world harm. Released artifacts are intended to support responsible security analysis and the design of stronger memory-aware defenses.
Long-term memory helps LLM agents personalize, plan, and adapt across sessions, but it also creates a temporal channel that current query-level access control can miss.
FragFuse is a memory-based query fragmentation attack against access-controlled LLM agents. Instead of submitting a prohibited request directly, an ordinary user first decomposes access-control-triggering content into fragments, injects those fragments into long-term memory through benign-appearing carrier queries, and later issues an attack query that retrieves and fuses the stored fragments back into the original prohibited intent. The attack operates through normal user interactions under a black-box threat model: the attacker does not need privileged access to the agent workflow, memory bank, or internal access-control implementation.
The paper evaluates FragFuse across web shopping, web navigation, OS assistance, and tool-use agent settings, covering LLM-based access control and state-of-the-art agent guardrails. The results show that memory can undermine access control when enforcement only inspects the current query rather than the history-dependent execution context.
Access-control modules often assume that prohibited intent appears explicitly in the current user query. Persistent memory breaks that assumption.
Many guardrails inspect each incoming query independently and reject requests that violate task policies, user eligibility rules, or resource permissions.
Agents store previous query-execution pairs and retrieve similar records later, allowing earlier interactions to influence future execution.
FragFuse separates sensitive content from its original context, stores it across time, and reconstructs it only after access control has allowed the later query.
FragFuse turns one prohibited query into two ordinary interactions: one to write useful fragments into memory, and one to retrieve and fuse them.
FragFuse avoids placing the prohibited intent in a single query. It first isolates sensitive fragments, stores them through a benign-looking carrier interaction, and later relies on memory retrieval to bring those fragments back.
An LLM-based fragment extractor proposes spans responsible for denial. The attacker masks candidate spans with markers and repeats until the masked query bypasses access control.
The extracted fragments are split, marked, and embedded into a benign host query. Once submitted, the resulting query-execution pair is stored as a memory record.
The attack query reuses the host query to retrieve the carrier memory, then uses a fusion instruction to place the marked fragments back into the masked query.
FragFuse further improves reliability with offline surrogate optimization. A genetic search tunes fusion instructions using surrogate retrieval, fusion, and coherence objectives, while keeping attack generation within the black-box threat model.
The study evaluates FragFuse across four representative agent settings and multiple access-control mechanisms.
FragFuse is tested against LLM-based access control and existing agent guardrails, including GuardAgent, AGrail, and ShieldAgent. The evaluation measures bypass success rate, task success rate, and supplementary end-to-end success.
Effectiveness of FragFuse compared with the baseline attack across agent, access control (AC), and backbone LLM settings. TSRs for direct querying in the absence of access control are reported for reference.
FragFuse achieves substantially higher BSR than the baseline attack, with only minor TSR degradation shown as subscripts relative to direct querying. For direct querying without access control, BSR is not applicable.
The attack assumes similarity-based memory retrieval, but does not depend on knowing the exact retrieval metric used by the target agent.
Existing defenses reduce some risks, but they do not fully address memory-mediated temporal composition.
The attack is query efficient: sensitive-fragment discovery typically converges with a small number of queries, while fusion-instruction optimization is performed offline.
Prompt-injection detectors often classify carrier queries, and many attack queries, as benign because the sensitive intent is fragmented and context-dependent.
For several evaluated domains, benign, carrier, and attack-query perplexity distributions overlap substantially, limiting detection power.
Percentage of benign, carrier, and attack queries deemed benign under two prompt-injection detectors.
FragFuse points to a design gap: access control should reason over memory admission, retrieval, and execution-time composition, not only the latest query.
The evaluation focuses on controlled research settings and representative domains. Generalization to other domains depends on available access-control policies, memory designs, and the instruction-following capability of the underlying agent model.
The work is intended to reveal and measure a security risk so that memory-augmented agents can be hardened. Defensive directions include memory admission control, retrieval-aware access control, and post-retrieval inspection of fused execution context.
Project materials and release links.
Citation will be added after the final bibliographic entry is ready.