Context Poisoning in MCP is the attack where adversaries manipulate the shared memory, persistent state, or accumulated conversation context that an MCP agent uses across multiple turns. Unlike tool poisoning, which targets the initial tool description, context poisoning targets the running state of an active agent session. The attacker injects instructions into resource contents, tool results, or summary outputs that get stored and re-read by the agent later. The poisoned context then influences every subsequent decision the agent makes, even after the original malicious input is long gone from the immediate conversation. Context poisoning is what makes long-running agentic workflows uniquely fragile.
How Context Poisoning Works
An agent runs a multi-step task: read a document, summarize it, store the summary, then act on the summary later. The attacker plants instructions inside the document. The agent reads the document, follows the embedded instructions, and writes a summary that includes the attacker’s payload now disguised as the agent’s own reasoning. The next time the agent reads the summary, it treats the payload as its own prior thought, not as external input. Trust escalates. Filters that screened the original document don’t re-screen agent-generated summaries. The poisoned context persists for the rest of the workflow.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why Context Poisoning Compounds Over Time
Most MCP guardrails screen input at ingestion. Once content is inside the agent’s context, it’s treated as trusted. Agent-generated outputs that contain laundered injection payloads bypass input filters entirely on second read. Long-running workflows, scheduled agents, and memory-backed assistants are all vulnerable because they re-read their own state across sessions. The Checkmarx Zero list of 11 emerging MCP risks calls out context poisoning specifically because it survives session boundaries. Memory-backed agents make this worse: an injection from week one can fire on month three.
How to Detect and Stop Context Poisoning
Re-screen all stored content on every read, not just at ingestion. Tag content with a provenance label (user input, tool result, agent-generated) and apply different trust levels per tag. Reject agent-generated content that contains instruction-like language before storing it. Apply periodic context audits that diff stored memory against the original source. Use shorter context windows and aggressive summarization to reduce attack surface. The Certified MCP Security Expert (CMCPSE) certification covers context poisoning detection with long-running agent labs.
Summary
Context Poisoning targets the running state and memory of MCP agents, planting instructions that survive across turns and sessions to corrupt future decisions. Provenance tagging, re-screening on read, and trust separation between input and agent-generated content are the defenses. The Certified MCP Security Expert (CMCPSE) certification trains engineers to design MCP agents whose memory can’t be quietly turned against them.