This work identifies a novel Cross-User Poisoning (CUP) attack in multi-user language agents: malicious users inject semantically benign messages into shared agent state, thereby inducing unintended actions toward benign users. To systematically assess this threat, the authors develop MURMUR—a history-aware, concurrent group simulation framework—that enables the first automated modeling and empirical validation of CUP attacks, confirming their high success rate and persistent impact on real-world multi-user agent systems. In response, they propose a lightweight defense mechanism based on task-semantic clustering, which significantly mitigates cross-user contamination risk. This is the first systematic study to analyze and address security vulnerabilities arising from insufficient isolation among users in collaborative language agents. The work establishes both theoretical foundations and practical mitigation strategies for secure large language model–based collaboration. (149 words)

Language agents are rapidly expanding from single-user assistants to multi-user collaborators in shared workspaces and groups. However, today's language models lack a mechanism for isolating user interactions and concurrent tasks, creating a new attack vector inherent to this new setting: cross-user poisoning (CUP). In a CUP attack, an adversary injects ordinary-looking messages that poison the persistent, shared state, which later triggers the agent to execute unintended, attacker-specified actions on behalf of benign users. We validate CUP on real systems, successfully attacking popular multi-user agents. To study the phenomenon systematically, we present MURMUR, a framework that composes single-user tasks into concurrent, group-based scenarios using an LLM to generate realistic, history-aware user interactions. We observe that CUP attacks succeed at high rates and their effects persist across multiple tasks, thus posing fundamental risks to multi-user LLM deployments. Finally, we introduce a first-step defense with task-based clustering to mitigate this new class of vulnerability