Inferensys

Glossary

Retrieval-Augmented Generation Poisoning

The adversarial corruption of a RAG pipeline's external knowledge base, causing the agent to retrieve and ground its responses in attacker-controlled documents.
Developer working on RAG retrieval system, document chunks visible on screen, technical workspace with code editor.
DATA INTEGRITY ATTACK

What is Retrieval-Augmented Generation Poisoning?

Retrieval-Augmented Generation Poisoning is an adversarial attack that corrupts the external knowledge base of a RAG pipeline, causing the agent to retrieve and ground its responses in attacker-controlled documents rather than legitimate sources.

Retrieval-Augmented Generation Poisoning is the adversarial corruption of a RAG pipeline's external knowledge base, causing an agent to retrieve and ground its responses in attacker-controlled documents. This attack targets the retrieval mechanism rather than the model weights, injecting malicious content into vector stores, document corpora, or knowledge graphs that the agent treats as authoritative ground truth during inference.

Unlike direct prompt injection, which targets the immediate context window, RAG poisoning is a persistent supply-chain attack on the agent's factual foundation. An adversary seeds poisoned documents into crawlable web sources or directly compromises the vector database, ensuring that semantic search queries return manipulated chunks. The agent then faithfully synthesizes responses from this corrupted context, producing outputs that appear well-grounded but serve the attacker's objectives—ranging from misinformation propagation to indirect tool invocation.

RAG POISONING

Primary Attack Vectors

The adversarial corruption of a RAG pipeline's external knowledge base, causing the agent to retrieve and ground its responses in attacker-controlled documents.

01

Corpus Poisoning

A large-scale attack where an adversary seeds the public web with malicious documents, knowing they will be crawled, indexed, and retrieved by agents for RAG grounding. This is a proactive, indirect attack that targets the retrieval corpus rather than the agent itself. The attacker anticipates the agent's crawling schedule and search queries, planting content optimized for semantic similarity to legitimate topics. When the agent retrieves this content, it grounds its responses in attacker-controlled narratives, leading to misinformation, brand damage, or downstream exploitation.

60%+
Web content is AI-generated spam by 2026 (projected)
02

Vector Store Contamination

The insertion of malicious vector embeddings directly into a vector database to manipulate semantic search results. Unlike corpus poisoning, this targets the post-ingestion index. An attacker with write access injects embeddings that are mathematically close to legitimate query vectors, causing nearest neighbor queries to return adversarial documents. This bypasses source-level filtering because the malicious content resides inside the trusted vector store. Detection requires embedding drift monitoring and provenance verification.

03

Indirect Prompt Injection

An attack where malicious instructions are hidden within external data sources that an agent retrieves, causing the agent to execute those instructions as if they were part of its system prompt. Common vectors include:

  • Hidden text in web pages (white-on-white font, zero-width characters)
  • Comments in code retrieved from repositories
  • PDF metadata fields containing override commands
  • Markdown links with prompt injection payloads in the URL The agent treats retrieved content as authoritative context, making this attack particularly dangerous for tool-calling agents.
04

Re-ranking Manipulation

An attack that exploits a cross-encoder or re-ranking model to artificially boost the relevance score of a malicious document, ensuring it is surfaced to the agent over legitimate sources. The attacker crafts content that exploits known scoring biases in re-ranking models, such as:

  • Over-optimizing for lexical overlap with the query
  • Exploiting position bias in listwise ranking
  • Injecting authority signals (fake citations, domain spoofing) This attack is subtle because the malicious document appears to be the most relevant result according to the system's own scoring mechanism.
05

Metadata Spoofing

The falsification of document metadata—source, date, authority signals—to deceive an agent into trusting and prioritizing attacker-controlled information. Agents often use metadata as a trust heuristic, giving higher weight to documents from authoritative domains, recent publication dates, or verified authors. An attacker who spoofs these signals can make malicious content appear as a definitive, high-confidence source. This is particularly effective against agents that display citations to end-users, lending false credibility to fabricated information.

06

Chunk Boundary Attack

A technique that exploits document segmentation by placing malicious content precisely at chunk boundaries. When a document is split into overlapping or fixed-size chunks for embedding, an attacker can craft content so that a malicious payload becomes a standalone, authoritative context fragment. Because chunking algorithms often break on paragraph or sentence boundaries, the attacker's payload is retrieved without the surrounding context that might reveal its adversarial nature. The agent then treats this isolated fragment as a complete, trustworthy fact.

ATTACK VECTOR COMPARISON

RAG Poisoning vs. Related Attacks

Distinguishing retrieval corruption from other context manipulation techniques in agentic systems

Attack VectorRAG PoisoningPrompt InjectionContext Window Overflow

Primary Target

External knowledge base and retrieval pipeline

System prompt and instruction hierarchy

Token budget and context capacity

Attack Surface

Vector store, document corpus, metadata indexes

User input, tool outputs, retrieved content

Multi-turn history, long-form documents

Persistence

Persistent across sessions until decontaminated

Typically single-session unless stored in memory

Session-scoped; resets on context clear

Requires Data Insertion

Exploits Retrieval Mechanism

Mitigation Difficulty

High - requires corpus-wide sanitization

Medium - input filtering and instruction hardening

Low-Medium - token limits and truncation strategies

Detection Method

Embedding drift analysis, retrieval audit logs

Perplexity scoring, instruction boundary checks

Token count monitoring, attention pattern analysis

Example Payload

Poisoned PDF uploaded to document store

Ignore previous instructions embedded in email

10,000 tokens of Lorem Ipsum prepended to query

RAG POISONING FAQ

Frequently Asked Questions

Clear, technical answers to the most common questions about adversarial attacks targeting retrieval-augmented generation pipelines and agent memory systems.

Retrieval-Augmented Generation (RAG) Poisoning is the adversarial corruption of a RAG pipeline's external knowledge base, causing an agent to retrieve and ground its responses in attacker-controlled documents rather than legitimate sources. Unlike direct prompt injection, which targets the immediate user input, RAG poisoning contaminates the vector store, document corpus, or knowledge graph that the agent relies on for factual grounding. The attack exploits the implicit trust agents place in retrieved context: when a user asks a question, the system performs a semantic search, fetches what it believes are authoritative documents, and uses them to generate an answer. If an attacker has inserted malicious content into that retrieval index—through techniques like corpus poisoning, metadata spoofing, or chunk boundary attacks—the agent unknowingly synthesizes responses from poisoned material. This is particularly dangerous because the attack persists across user sessions and can influence any query that triggers retrieval of the contaminated documents, making it a scalable and stealthy threat vector for enterprise RAG deployments.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.