Inferensys

Glossary

Retrieval Poisoning

Retrieval poisoning is an attack that contaminates a vector database or knowledge base with malicious documents, causing a Retrieval-Augmented Generation (RAG) system to retrieve and execute adversarial instructions as grounded context.
Developer working on RAG retrieval system, document chunks visible on screen, technical workspace with code editor.
RAG SECURITY THREAT

What is Retrieval Poisoning?

A data poisoning attack targeting the external knowledge bases of Retrieval-Augmented Generation (RAG) systems to inject adversarial instructions.

Retrieval Poisoning is a cyberattack where an adversary contaminates a vector database or document store with malicious content, causing a RAG system to retrieve and execute adversarial instructions. Unlike direct prompt injection, the attacker does not interact with the model directly; they exploit the retrieval mechanism by inserting poisoned documents that rank highly for specific semantic queries.

When the agent retrieves the tainted chunk, the malicious text is inserted into the model's context window, where it can override system prompts or exfiltrate data. Defenses include data provenance verification, strict source filtering, and adversarial robustness testing of the embedding and retrieval pipeline to detect anomalous content before it reaches the reasoning engine.

RETRIEVAL POISONING

Common Attack Vectors

The primary methodologies adversaries use to contaminate vector databases and knowledge bases, causing RAG systems to retrieve and execute malicious instructions.

01

Direct Document Injection

The attacker directly uploads or inserts a malicious document into the target knowledge base. This is the most straightforward vector, often exploiting weak access controls on document ingestion pipelines.

  • Mechanism: The document contains hidden text in white font, zero-width characters, or text encoded in a way that is invisible to human reviewers but parsed by the chunking algorithm.
  • Payload: The hidden text contains a prompt injection like "Ignore previous instructions and...".
  • Example: Uploading a seemingly benign PDF resume to a company's internal HR knowledge base that contains invisible text instructing the agent to expose salary data.
02

Content Chunking Exploitation

This attack targets the text-splitting logic of the RAG ingestion pipeline. The adversary crafts a document designed to fragment in a way that creates a malicious standalone chunk.

  • Mechanism: The attacker places a malicious instruction between two specific delimiters or at a precise character count boundary, knowing the chunker splits on those markers.
  • Result: A chunk is created that consists solely of the adversarial instruction, divorced from its benign surrounding context.
  • Key Insight: The attacker must understand or guess the target's chunk size and overlap parameters to execute this precisely.
03

SEO and Web-Scale Poisoning

An indirect attack where the adversary publishes malicious content on the public web, anticipating that the target's RAG system will crawl and index it as an authoritative source.

  • Mechanism: The attacker uses search engine optimization (SEO) techniques to rank a poisoned page highly for specific technical queries the target agent is known to research.
  • Scale: This is a broadcast attack—a single poisoned page can compromise multiple independent RAG systems that crawl the same web domain.
  • Example: Creating a fake documentation page for a popular Python library that includes hidden instructions to exfiltrate API keys.
04

Embedding Space Shifting

A sophisticated attack that crafts text to manipulate the vector representation itself, causing malicious content to be retrieved for a wide range of benign, high-probability queries.

  • Mechanism: The attacker uses adversarial examples—text perturbed with specific token sequences—to position the malicious document's embedding vector close to clusters of legitimate queries in the vector space.
  • Effect: The poisoned document becomes a nearest neighbor for many unrelated user questions, dramatically increasing its retrieval frequency.
  • Challenge: This requires white-box or gray-box access to the embedding model to compute effective perturbations.
05

Temporal Triggering Logic

The attacker plants a logic bomb in the knowledge base that remains dormant until a specific temporal condition is met, evading immediate detection during ingestion.

  • Mechanism: The malicious instruction is prefaced with a condition like "If the current date is after 2025-06-01, then...". The model ignores it during testing but executes it later.
  • Purpose: To bypass time-bound security audits and human review processes that occur immediately after document upload.
  • Variation: Triggers can also be based on user identity, query keywords, or the presence of other retrieved documents.
06

Multi-Stage Retrieval Chains

A kill chain where a primary poisoned document retrieves a secondary, seemingly benign document that contains the final payload, defeating single-document inspection.

  • Step 1: Document A is retrieved. It contains no direct malicious instruction, only a command to "search for policy update X."
  • Step 2: The agent's own tool-calling ability retrieves Document B, which contains the actual adversarial payload.
  • Defense Evasion: Neither document is malicious in isolation; the attack only manifests through the agent's autonomous chaining behavior.
ATTACK VECTOR DIFFERENTIATION

Retrieval Poisoning vs. Related Attacks

A comparative analysis of retrieval poisoning against adjacent adversarial techniques targeting RAG systems and agent memory.

FeatureRetrieval PoisoningIndirect Prompt InjectionContext Window Poisoning

Attack Vector

Malicious documents inserted into the vector database or knowledge base

Malicious instructions embedded in external data sources retrieved at query time

Adversarial manipulation of agent memory or long-term context stores

Target Component

Vector index and document store

Retrieved snippets and tool outputs

Conversation history and episodic memory buffers

Persistence

Attacker Access Required

Write access to the knowledge ingestion pipeline

Control over a public web page or API endpoint

Write access to the agent's memory management system

Trigger Mechanism

Semantic similarity match during normal retrieval

User query that triggers retrieval of the poisoned source

Agent reflection or memory recall operation

Primary Mitigation

Document provenance verification and ingestion sandboxing

Instruction hierarchy and data provenance tagging

Memory segmentation and cryptographic integrity checks

Detection Difficulty

High - payload blends with legitimate documents

Medium - detectable with semantic filtering

Very High - operates within trusted memory structures

Blast Radius

All users querying the poisoned topic

Single user session or query chain

Persistent across all future agent sessions

RETRIEVAL POISONING

Frequently Asked Questions

Explore the mechanics, risks, and defenses against adversarial contamination of vector databases and knowledge bases used in Retrieval-Augmented Generation (RAG) systems.

Retrieval poisoning is an attack vector where an adversary deliberately contaminates a vector database or knowledge base with malicious documents. When a Retrieval-Augmented Generation (RAG) system performs a semantic search, it retrieves these poisoned chunks and injects them into the model's context window. The attack exploits the implicit trust that the language model places in retrieved data, causing it to execute adversarial instructions, exfiltrate data, or generate factually incorrect outputs. Unlike direct prompt injection, the attacker does not need direct access to the user prompt; they simply need to get their content indexed by the retrieval pipeline, often through public web crawling or document upload features.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.