Curia's Automatic Entity Enrichment Pipeline Raises Memory Poisoning Concerns

A security advisory has flagged potential vulnerabilities in Curia's automatic entity enrichment pipeline, warning that the system's knowledge graph (KG) fact extraction from inbound messages could expose it to memory poisoning attacks. The investigation, opened as a chore ticket, raises concerns that adversaries could exploit the email ingestion process to inject fabricated facts into the AI's context — subsequently corrupting future interactions and decision-making.

The threat model outlined in the issue describes a multi-step attack vector. An attacker would first send crafted emails to Curia's discoverable or guessable email address. Once ingested, the message would be routed through the dispatcher to the coordinator, where entity enrichment and KG fact extraction processes the content. If successful, attacker-controlled "facts" — such as fake relationships, fabricated preferences, or misleading context about real contacts — would be stored directly in the knowledge graph. Future AI interactions referencing this poisoned context could then produce incorrect decisions, misdirected communications, or enable sophisticated social engineering of leadership, including the CEO.

The investigation remains open, with several key questions yet to be answered. Security researchers are examining what facts can currently be written to the knowledge graph through this pipeline, what validation or sanitization exists for inbound email content, and whether the attack surface can be reduced without breaking legitimate functionality. The severity of potential fallout depends heavily on how heavily Curia's interactions rely on the enriched knowledge graph and whether there are safeguards against untrusted external input. Organizations running similar AI systems with automated email ingestion and knowledge graph population are advised to evaluate whether their own pipelines present comparable attack surfaces.