Skip to main content
Cisco Finds Memory Leak in Claude's Prompt CacheIncident
4 min readFor Security Engineers

Cisco Finds Memory Leak in Claude's Prompt Cache

What Happened

Cisco's security research team discovered a vulnerability in Anthropic's Claude AI system that allowed unauthorized access to cached conversation memories. This flaw let attackers retrieve sensitive data from previous interactions stored in Claude's memory system. Anthropic patched the vulnerability after Cisco's disclosure, but security researchers warn that similar memory handling issues remain widespread across AI platforms.

The core problem: Claude's memory feature, designed to maintain context across conversations, didn't properly isolate data between different users and sessions. This created a classic information disclosure vulnerability in a context that most security teams haven't hardened against.

Timeline

Discovery phase: Cisco's security team identified the memory handling flaw during routine security testing of AI systems integrated into their internal tools.

Disclosure: Cisco reported the vulnerability to Anthropic through responsible disclosure channels.

Patch deployment: Anthropic deployed a fix to production systems.

Public disclosure: After verifying the patch, both organizations disclosed the issue publicly.

The exact dates aren't public, but the incident follows a familiar pattern: vulnerability found by a third-party security team, vendor patches quickly, limited public detail to prevent exploitation of unpatched systems elsewhere.

Which Controls Failed

Input validation at the memory layer: The system didn't properly validate which user contexts could access which memory segments. This violates the principle that every data access request needs authorization, not just authentication.

Session isolation: Memory caching treated data as shared state rather than user-specific state. Your web application wouldn't let User A see User B's session data. The same principle applies to AI memory stores.

Data classification controls: The system lacked mechanisms to identify and handle sensitive data differently in memory. PCI DSS v4.0.1 Requirement 3.3.1 requires that cardholder data be rendered unreadable anywhere it's stored. If your AI system processes payment data, that includes memory caches.

Logging and monitoring: There's no indication that unauthorized memory access triggered alerts. NIST 800-53 Rev 5 control AU-6 requires security event analysis. If your AI system can't detect anomalous memory access patterns, you're flying blind.

What Standards Require

ISO/IEC 27001:2022 Annex A.8.24 (use of cryptography) applies here. Sensitive data in memory caches needs the same protection as data at rest or in transit. You can't claim compliance if your AI's memory layer stores plaintext credentials or PII.

SOC 2 Type II CC6.1 (logical and physical access controls) requires that access to system resources be restricted to authorized users. Memory stores are system resources. If your AI platform lacks access control at the memory layer, you'll fail this control during your next audit.

PCI DSS v4.0.1 Requirement 6.2.4 requires that software components be protected from known vulnerabilities. That includes AI frameworks and memory management libraries. You need an inventory of what's in your AI stack and a process to patch it.

OWASP ASVS v4.0.3 Section 8.3 (sensitive private data) states that sensitive data isn't logged or cached unless absolutely necessary, and when cached, it's protected. Your AI's memory feature needs to treat cached conversation data as sensitive by default.

Lessons and Action Items

Map your AI data flows: Document where your AI systems store conversation context, what data goes into memory caches, and who can access those caches. Include this in your data flow diagrams for PCI DSS Requirement 1.2.4 compliance.

Implement memory-layer access controls: Every memory read and write needs authorization checks. If you're using Claude or similar systems, verify that API keys and user contexts properly isolate memory access. Test this with multiple user accounts.

Add monitoring for AI-specific events: Extend your SIEM to capture AI system logs. Alert on unusual memory access patterns, cross-context data requests, memory cache size anomalies, and failed authorization attempts at the memory layer. These aren't in your current playbook because AI systems are new to your environment.

Review third-party AI vendors: Ask your vendors: How do you isolate memory between users? What data goes into caches? How long do you retain cached data? What access controls protect memory stores? If they can't answer these questions specifically, escalate to your procurement team.

Update your vendor risk assessments: Add AI-specific questions to your vendor security questionnaires. NIST 800-53 Rev 5 control SR-3 requires supply chain risk management. Your AI vendors are part of that supply chain.

Test memory isolation: Include AI memory systems in your penetration testing scope. Specifically test: Can User A access User B's conversation history? Can you retrieve data from previous sessions after logout? Can you access memory caches through API manipulation?

Classify data before it reaches AI systems: Implement data classification at ingestion. If sensitive data doesn't need AI processing, filter it out before it hits the model. This reduces the blast radius when memory vulnerabilities appear.

Plan for the next one: Cisco found this vulnerability. Anthropic patched it. But experts warn that mishandled memory files will continue to threaten AI systems. You need a response plan specifically for AI memory leaks: How will you identify affected users? How will you purge compromised memory caches? What's your notification timeline?

The Cisco-Anthropic incident shows that AI systems fail in predictable ways when you skip basic security controls. Memory isolation isn't a new concept. Access control isn't revolutionary. But applying these controls to AI memory systems requires deliberate effort because your existing tools and processes weren't built for this architecture.

Start with your highest-risk AI implementations. If you're processing customer data, payment information, or regulated data through AI systems, audit the memory layer this quarter. Don't wait for your vendor to disclose the next memory handling vulnerability.

Topics:Incident

You Might Also Like