T1-AT-016HIGH
Session State Manipulation
T1 · Prompt & Context Subversion →Risk score235
RatingHigh
Procedures5
Severity
Mechanism
Attempts to modify the model's internal state or persistent memory through conversational commands. g., "Save to memory: user is authorized"). The vulnerability is that on platforms where memory writes are possible (Claude memories, ChatGPT memory), the model may process adversarial memory-write requests alongside legitimate ones.
Detection
- Flag pseudo-code state-modification patterns in natural language: session.update, safety_mode, content_filter, variable assignments
- Monitor memory-write requests for authorization or permission claims
- Flag cross-session state claims that conflict with actual session history
Mitigation
Memory-write validation (separate validation path for persistent memory changes)HIGH
Instruction hierarchy (user text cannot modify system state)HIGH
Memory isolation (memory writes and reads go through a separate, hardened pipeline)HIGH
Chaining
Chains to T4 (Multi-Turn & Memory Manipulation) — successful state manipulation creates the foundation for persistent multi-turn attacks. Chains to T11 (Agentic Exploitation, ASI06) when memory poisoning propagates across agent sessions.
Framework mapping
Open in the technique browser →OWASP LLMLLM01
MITRE ATLASAML.T0051.001