AI Search Poisoning: 13 Words That Rig AI Answers (2026)

AI search poisoning is an attack where a few words added to a frequently cited web page steer AI research agents toward attacker-chosen answers. Cornell Tech's WARP study shows ~13 words on a single source can make agents name a fake product in 38–51% of exposed runs, rising to 62% when the bait spans multiple pages.¹

TL;DR

A May 2026 preprint from Cornell Tech, Deep-Research Agents Can Be Poisoned via User-Generated Content, shows that "deep research" agents — the multi-step web-research systems behind modes in tools like ChatGPT and Gemini — share a structural weakness: they can be steered by tiny edits to community pages such as Reddit and Wikipedia. The end-to-end attack was demonstrated on open-source agents of this class; the commercial tools were measured, not directly attacked.¹ The researchers call the technique WARP — Web Agent Retrieval Poisoning.² Because these agents repeatedly pull from the same handful of user-generated pages across many related queries, an attacker who edits one popular page can bend the agent's answer for an entire topic. In tests, appending roughly 13 words of optimized text to a single source produced a 38–51% mention rate for a fabricated product; spreading the bait across a few pages pushed it to 42–62%.¹ The most exposed queries are exactly the ones people lean on AI for: product picks, app recommendations, "how do I cancel," and emergency phone numbers. This is not theoretical — China's 2026 consumer-rights investigation caught a fake smart wristband getting recommended by real chatbots to real users.³

What You'll Learn

• What AI search poisoning is and how the WARP attack works
• Why deep-research agents are structurally vulnerable, not just buggy
• The exact success rates Cornell Tech measured, and on which systems
• How this connects to generative engine optimization (GEO) gone rogue
• Why standard defenses failed — and what users and builders can do now

What is AI search poisoning?

AI search poisoning is the manipulation of answers produced by AI systems that retrieve live web content, by planting or editing text on the pages those systems read. Unlike classic data poisoning that targets a model's training set, this attack targets the retrieval step at inference time. The attacker never touches the model. They edit the open web — and let the agent do the rest.

This matters because deep-research agents have quietly become a default way people get answers. Instead of returning ten blue links, they run many web searches, read what they find, and stitch together a cited report. That convenience is exactly the weakness: the agent treats whatever it retrieves as raw material for its conclusion, and a large share of what it retrieves is content anyone can write.

How the WARP attack works

The WARP attack exploits a structural habit of deep-research agents: retrieval overlap. When you ask a research agent a question, it issues many related sub-queries in a single session. Cornell Tech found that within a topic cluster, the same individual user-generated page is retrieved in up to 48% of queries, and 17–23% of all retrieved URLs come from user-generated platforms like Reddit and Wikipedia.¹

That overlap creates a chokepoint. Crucially, WARP does not inject new documents into the index — it modifies a page the agent already retrieves organically, for example by appending a comment to a popular Reddit thread.² Poison one frequently cited page and you can steer the agent's answer across an entire category of questions, not just one phrasing of it.

The researchers used an ethical simulation framework they built, called GeoStorm, which models what would happen if poisoned text appeared on real pages without ever modifying live web content.¹ To be conservative, they appended the poisoned text at the end of a page — the least favorable position for an attacker — meaning the reported success rates are a lower bound.¹

The numbers: how reliable is it?

The attack is unsettlingly reliable. Cornell Tech reported these conditional mention rates for a fabricated target entity:

These rates are "conditional on exposure" — they describe runs where the poisoned source was actually retrieved. Given that a single page can surface in nearly half the queries in a cluster, exposure is not a high bar.

The full end-to-end attack was run against three open-source deep-research systems: STORM and its variant Co-STORM (from Stanford's OVAL lab) and OmniThink.¹ The team did not attack commercial tools end-to-end, because doing so would have meant poisoning the live web. Instead they measured how heavily each commercial system leans on user-generated content. The split was stark: Gemini Deep Research drew about 12% of its citations from user-generated content, while OpenAI's Deep Research used it for just 0.4% (3 of 176 queries), appearing to filter it out aggressively in favor of established media, government sources, and official product pages.¹ In other words, this is a demonstrated weakness in how the systems work — not proof that any specific consumer chatbot has been tricked in the wild.

Why this is GEO gone rogue

If "optimize content so AI engines cite it" sounds familiar, that is because it is a real, fast-growing marketing discipline: generative engine optimization (GEO), the AI-era successor to SEO.⁴ WARP is what happens when GEO techniques are pointed at fabricated entities instead of real ones. The Cornell team even used a GEO-style optimization prompt to rewrite their bait for maximum citation likelihood.¹

A big reason it works is epistemic. As lead author Tingwei Zhang told 404 Media, these systems weigh a random Reddit comment and a government website as roughly equally credible.⁵ The agents also tend to treat text that reads like the question as a proxy for text that is accurate — so an attacker who mirrors common phrasing wins the model's trust.⁵

And this is no longer just a lab finding. China's state broadcaster CCTV demonstrated the same idea at the country's March 2026 "315" consumer-rights gala: reporters invented a smart wristband called Apollo 9, described it with nonsense specs like "quantum-entanglement sensors" and "black hole-level battery life," and seeded those terms online so AI assistants would surface them. Chinese chatbots duly began recommending the nonexistent product to real users — and some kept doing so even a day after the exposé aired.³ A February 2026 iiMedia Research report pegged China's GEO industry at roughly 35 billion yuan in 2025, up 67% year over year — a large, commercial engine pointed straight at this attack surface.³

Why the obvious defenses failed

The hard part is that the easy fixes do not work. The researchers tested the intuitive defenses — blocking user-generated sites outright, screening sources before they are used, and scanning the final answer for manipulation — and none held up without making the agent's answers noticeably worse.⁵ Blocking Reddit and Wikipedia, for instance, strips out genuinely useful community knowledge along with the poison.

Worse, a standard trick for catching AI-generated junk backfired. Detectors that flag "unnatural" text assume machine-written content reads awkwardly — but GEO-optimized bait reads more fluently than genuine human comments, not less, so the filter is pointed the wrong way.⁵ Reddit told 404 Media it has spent two decades fighting spam and coordinated manipulation and recently began asking suspicious automated accounts to verify they are human, but the researchers frame this as a societal-scale problem no single platform can fully solve.⁵

If you build retrieval systems, this is a reminder that source trust has to be earned, not assumed. The same discipline that prevents common RAG failures — provenance tracking, source weighting, and cross-checking claims against authoritative references — is now a security control, not just a quality one. It pairs naturally with the kind of LLM guardrails real applications need.

What you can do right now

For everyday users, the fix is skepticism applied at the right moments:

• Treat AI recommendations as leads, not verdicts — especially for anything tied to money, health, or safety.
• Click the citations. If an AI confidently names a brand, check where the claim came from. A single Reddit comment is a red flag.
• Cross-check unfamiliar names independently before trusting a "top-rated" option you have never heard of.
• Be extra careful with urgent queries — emergency roadside help, customer-service numbers, and account recovery are prime scam targets.

For builders, the takeaways are sharper: assume your retrieved corpus is adversarial, down-weight high-overlap user-generated pages, demand corroboration from independent sources before citing a claim, and remember that fluency is not credibility. The broader fight against confident-but-wrong output is the same one behind hallucination prevention, and it now has an active adversary on the other side.

The bottom line

WARP is a wake-up call about the plumbing of AI search. The same architecture that makes deep-research agents convenient — read the open web, trust the crowd, cite as you go — is the architecture that lets 13 words bend an answer. The fix is not a single patch; it is a shift in how both users and builders treat retrieved content: helpful, but worth double-checking. Treat an AI's confident recommendation the way you would advice from a chatty stranger on a forum. Useful, occasionally brilliant, and never the last word.