Retrieval-Augmented Generation Poisoning is the adversarial corruption of a RAG pipeline's external knowledge base, causing an agent to retrieve and ground its responses in attacker-controlled documents. This attack targets the retrieval mechanism rather than the model weights, injecting malicious content into vector stores, document corpora, or knowledge graphs that the agent treats as authoritative ground truth during inference.
Glossary
Retrieval-Augmented Generation Poisoning

What is Retrieval-Augmented Generation Poisoning?
Retrieval-Augmented Generation Poisoning is an adversarial attack that corrupts the external knowledge base of a RAG pipeline, causing the agent to retrieve and ground its responses in attacker-controlled documents rather than legitimate sources.
Unlike direct prompt injection, which targets the immediate context window, RAG poisoning is a persistent supply-chain attack on the agent's factual foundation. An adversary seeds poisoned documents into crawlable web sources or directly compromises the vector database, ensuring that semantic search queries return manipulated chunks. The agent then faithfully synthesizes responses from this corrupted context, producing outputs that appear well-grounded but serve the attacker's objectives—ranging from misinformation propagation to indirect tool invocation.
Primary Attack Vectors
The adversarial corruption of a RAG pipeline's external knowledge base, causing the agent to retrieve and ground its responses in attacker-controlled documents.
Corpus Poisoning
A large-scale attack where an adversary seeds the public web with malicious documents, knowing they will be crawled, indexed, and retrieved by agents for RAG grounding. This is a proactive, indirect attack that targets the retrieval corpus rather than the agent itself. The attacker anticipates the agent's crawling schedule and search queries, planting content optimized for semantic similarity to legitimate topics. When the agent retrieves this content, it grounds its responses in attacker-controlled narratives, leading to misinformation, brand damage, or downstream exploitation.
Vector Store Contamination
The insertion of malicious vector embeddings directly into a vector database to manipulate semantic search results. Unlike corpus poisoning, this targets the post-ingestion index. An attacker with write access injects embeddings that are mathematically close to legitimate query vectors, causing nearest neighbor queries to return adversarial documents. This bypasses source-level filtering because the malicious content resides inside the trusted vector store. Detection requires embedding drift monitoring and provenance verification.
Indirect Prompt Injection
An attack where malicious instructions are hidden within external data sources that an agent retrieves, causing the agent to execute those instructions as if they were part of its system prompt. Common vectors include:
- Hidden text in web pages (white-on-white font, zero-width characters)
- Comments in code retrieved from repositories
- PDF metadata fields containing override commands
- Markdown links with prompt injection payloads in the URL The agent treats retrieved content as authoritative context, making this attack particularly dangerous for tool-calling agents.
Re-ranking Manipulation
An attack that exploits a cross-encoder or re-ranking model to artificially boost the relevance score of a malicious document, ensuring it is surfaced to the agent over legitimate sources. The attacker crafts content that exploits known scoring biases in re-ranking models, such as:
- Over-optimizing for lexical overlap with the query
- Exploiting position bias in listwise ranking
- Injecting authority signals (fake citations, domain spoofing) This attack is subtle because the malicious document appears to be the most relevant result according to the system's own scoring mechanism.
Metadata Spoofing
The falsification of document metadata—source, date, authority signals—to deceive an agent into trusting and prioritizing attacker-controlled information. Agents often use metadata as a trust heuristic, giving higher weight to documents from authoritative domains, recent publication dates, or verified authors. An attacker who spoofs these signals can make malicious content appear as a definitive, high-confidence source. This is particularly effective against agents that display citations to end-users, lending false credibility to fabricated information.
Chunk Boundary Attack
A technique that exploits document segmentation by placing malicious content precisely at chunk boundaries. When a document is split into overlapping or fixed-size chunks for embedding, an attacker can craft content so that a malicious payload becomes a standalone, authoritative context fragment. Because chunking algorithms often break on paragraph or sentence boundaries, the attacker's payload is retrieved without the surrounding context that might reveal its adversarial nature. The agent then treats this isolated fragment as a complete, trustworthy fact.
RAG Poisoning vs. Related Attacks
Distinguishing retrieval corruption from other context manipulation techniques in agentic systems
| Attack Vector | RAG Poisoning | Prompt Injection | Context Window Overflow |
|---|---|---|---|
Primary Target | External knowledge base and retrieval pipeline | System prompt and instruction hierarchy | Token budget and context capacity |
Attack Surface | Vector store, document corpus, metadata indexes | User input, tool outputs, retrieved content | Multi-turn history, long-form documents |
Persistence | Persistent across sessions until decontaminated | Typically single-session unless stored in memory | Session-scoped; resets on context clear |
Requires Data Insertion | |||
Exploits Retrieval Mechanism | |||
Mitigation Difficulty | High - requires corpus-wide sanitization | Medium - input filtering and instruction hardening | Low-Medium - token limits and truncation strategies |
Detection Method | Embedding drift analysis, retrieval audit logs | Perplexity scoring, instruction boundary checks | Token count monitoring, attention pattern analysis |
Example Payload | Poisoned PDF uploaded to document store | Ignore previous instructions embedded in email | 10,000 tokens of Lorem Ipsum prepended to query |
Frequently Asked Questions
Clear, technical answers to the most common questions about adversarial attacks targeting retrieval-augmented generation pipelines and agent memory systems.
Retrieval-Augmented Generation (RAG) Poisoning is the adversarial corruption of a RAG pipeline's external knowledge base, causing an agent to retrieve and ground its responses in attacker-controlled documents rather than legitimate sources. Unlike direct prompt injection, which targets the immediate user input, RAG poisoning contaminates the vector store, document corpus, or knowledge graph that the agent relies on for factual grounding. The attack exploits the implicit trust agents place in retrieved context: when a user asks a question, the system performs a semantic search, fetches what it believes are authoritative documents, and uses them to generate an answer. If an attacker has inserted malicious content into that retrieval index—through techniques like corpus poisoning, metadata spoofing, or chunk boundary attacks—the agent unknowingly synthesizes responses from poisoned material. This is particularly dangerous because the attack persists across user sessions and can influence any query that triggers retrieval of the contaminated documents, making it a scalable and stealthy threat vector for enterprise RAG deployments.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the attack vectors and defense mechanisms related to the adversarial manipulation of agent memory, retrieval pipelines, and long-term context.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us