This work addresses cross-user contamination (UCC)—a silent failure mode in multi-user LLM agent systems where benign interactions inadvertently leak or corrupt user-specific states. It presents the first formal characterization of UCC in the absence of adversarial actors, introduces a controlled evaluation protocol and a taxonomy of contamination types, and systematically analyzes risks under two shared-state mechanisms: conversational context and executable artifacts. Empirical results reveal contamination rates of 57%–71% in raw shared states. While write-time sanitization mitigates contamination in conversational content, it leaves substantial residual risk for executable artifacts, underscoring the need for defense mechanisms that operate beyond text-level isolation and instead enforce artifact-level integrity.

LLM-based agents increasingly operate across repeated sessions, maintaining task states to ensure continuity. In many deployments, a single agent serves multiple users within a team or organization, reusing a shared knowledge layer across user identities. This shared persistence expands the failure surface: information that is locally valid for one user can silently degrade another user's outcome when the agent reapplies it without regard for scope. We refer to this failure mode as unintentional cross-user contamination (UCC). Unlike adversarial memory poisoning, UCC requires no attacker; it arises from benign interactions whose scope-bound artifacts persist and are later misapplied. We formalize UCC through a controlled evaluation protocol, introduce a taxonomy of three contamination types, and evaluate the problem in two shared-state mechanisms. Under raw shared state, benign interactions alone produce contamination rates of 57--71%. A write-time sanitization is effective when shared state is conversational, but leaves substantial residual risk when shared state includes executable artifacts, with contamination often manifesting as silent wrong answers. These results indicate that shared-state agents need artifact-level defenses beyond text-level sanitization to prevent silent cross-user failures.