This work exposes a critical security vulnerability in the test-time personalization (TIP) phase of federated learning: heterogeneous domain shifts, algorithmic disparities, and limited cross-client visibility render local adaptation susceptible to data poisoning attacks. To address this, we propose the first systematic gray-box data poisoning attack model for TIP, introducing a novel poison sample generation method based on surrogate model distillation and feature consistency constraints. Our approach efficiently crafts high-entropy or confidence-mimicking poisoned inputs that evade mainstream adaptive filtering mechanisms. Extensive experiments on noisy vision benchmarks demonstrate that even a small number of compromised clients significantly degrade both global and per-client TIP performance—validating the attack’s practical feasibility and severity in real-world deployments. This work establishes the first reproducible attack paradigm and evaluation benchmark for TIP security research.

Test-time personalization in federated learning enables models at clients to adjust online to local domain shifts, enhancing robustness and personalization in deployment. Yet, existing federated learning work largely overlooks the security risks that arise when local adaptation occurs at test time. Heterogeneous domain arrivals, diverse adaptation algorithms, and limited cross-client visibility create vulnerabilities where compromised participants can craft poisoned inputs and submit adversarial updates that undermine both global and per-client performance. To address this threat, we introduce FedPoisonTTP, a realistic grey-box attack framework that explores test-time data poisoning in the federated adaptation setting. FedPoisonTTP distills a surrogate model from adversarial queries, synthesizes in-distribution poisons using feature-consistency, and optimizes attack objectives to generate high-entropy or class-confident poisons that evade common adaptation filters. These poisons are injected during local adaptation and spread through collaborative updates, leading to broad degradation. Extensive experiments on corrupted vision benchmarks show that compromised participants can substantially diminish overall test-time performance.