CyberSecurityBoardThreat Intel · CVEs · Products
Cyber News

MemGhost Attack: One Email Plants Persistent False Memories in AI Agents

July 13, 2026

A new attack named MemGhost demonstrates how a single email can inject persistent false memories into AI personal assistants, manipulating their future responses without detection. Researchers developed the attack, detailed in the paper ‘When Claws Remember but Do Not Tell’ (arXiv, July 6, 2026), targeting open-source agent OpenClaw and Claude Code SDK agents.

The attack exploits AI assistants that maintain persistent memory files (e.g., AGENTS.md, MEMORY.md) and have email access. An attacker sends a crafted email containing hidden instructions that, when processed by the agent, cause it to write false information into its memory files. The agent’s reply hides this action, and in subsequent sessions, the planted memory influences its outputs. For example, a false memory could claim a user’s Zelle daily limit was raised to $10,000.

The MemGhost tool, trained offline against a shadow agent, achieved an 87.5% success rate against OpenClaw on GPT-5.4 in background mode and 71.4% against Claude Code SDK on Sonnet 4.6. It bypassed input filters over 90% of the time and evaded hardened models about half the time. The researchers also created WhisperBench, a 108-case benchmark for evaluating such risks.

This attack builds on prior work: Johann Rehberger’s 2024 SpAIware against ChatGPT and the EchoLeak vulnerability (CVE-2025-32711) in Microsoft 365 Copilot. MemGhost adds automation and persistence, making it more dangerous. The researchers recommend tagging information provenance, requiring user confirmation for memory writes, and logging all changes. OpenClaw’s security guidance suggests routing untrusted email through a separate reader agent without memory or file tools.

CVEs: CVE-2025-32711

Companies: OpenAI, Microsoft, Aim Security

Products: OpenClaw, Claude Code SDK, GPT-5.4, Sonnet 4.6, Microsoft 365 Copilot