Retrieval Poisoning is a cyberattack where an adversary contaminates a vector database or document store with malicious content, causing a RAG system to retrieve and execute adversarial instructions. Unlike direct prompt injection, the attacker does not interact with the model directly; they exploit the retrieval mechanism by inserting poisoned documents that rank highly for specific semantic queries.
Glossary
Retrieval Poisoning

What is Retrieval Poisoning?
A data poisoning attack targeting the external knowledge bases of Retrieval-Augmented Generation (RAG) systems to inject adversarial instructions.
When the agent retrieves the tainted chunk, the malicious text is inserted into the model's context window, where it can override system prompts or exfiltrate data. Defenses include data provenance verification, strict source filtering, and adversarial robustness testing of the embedding and retrieval pipeline to detect anomalous content before it reaches the reasoning engine.
Common Attack Vectors
The primary methodologies adversaries use to contaminate vector databases and knowledge bases, causing RAG systems to retrieve and execute malicious instructions.
Direct Document Injection
The attacker directly uploads or inserts a malicious document into the target knowledge base. This is the most straightforward vector, often exploiting weak access controls on document ingestion pipelines.
- Mechanism: The document contains hidden text in white font, zero-width characters, or text encoded in a way that is invisible to human reviewers but parsed by the chunking algorithm.
- Payload: The hidden text contains a prompt injection like
"Ignore previous instructions and...". - Example: Uploading a seemingly benign PDF resume to a company's internal HR knowledge base that contains invisible text instructing the agent to expose salary data.
Content Chunking Exploitation
This attack targets the text-splitting logic of the RAG ingestion pipeline. The adversary crafts a document designed to fragment in a way that creates a malicious standalone chunk.
- Mechanism: The attacker places a malicious instruction between two specific delimiters or at a precise character count boundary, knowing the chunker splits on those markers.
- Result: A chunk is created that consists solely of the adversarial instruction, divorced from its benign surrounding context.
- Key Insight: The attacker must understand or guess the target's chunk size and overlap parameters to execute this precisely.
SEO and Web-Scale Poisoning
An indirect attack where the adversary publishes malicious content on the public web, anticipating that the target's RAG system will crawl and index it as an authoritative source.
- Mechanism: The attacker uses search engine optimization (SEO) techniques to rank a poisoned page highly for specific technical queries the target agent is known to research.
- Scale: This is a broadcast attack—a single poisoned page can compromise multiple independent RAG systems that crawl the same web domain.
- Example: Creating a fake documentation page for a popular Python library that includes hidden instructions to exfiltrate API keys.
Embedding Space Shifting
A sophisticated attack that crafts text to manipulate the vector representation itself, causing malicious content to be retrieved for a wide range of benign, high-probability queries.
- Mechanism: The attacker uses adversarial examples—text perturbed with specific token sequences—to position the malicious document's embedding vector close to clusters of legitimate queries in the vector space.
- Effect: The poisoned document becomes a nearest neighbor for many unrelated user questions, dramatically increasing its retrieval frequency.
- Challenge: This requires white-box or gray-box access to the embedding model to compute effective perturbations.
Temporal Triggering Logic
The attacker plants a logic bomb in the knowledge base that remains dormant until a specific temporal condition is met, evading immediate detection during ingestion.
- Mechanism: The malicious instruction is prefaced with a condition like
"If the current date is after 2025-06-01, then...". The model ignores it during testing but executes it later. - Purpose: To bypass time-bound security audits and human review processes that occur immediately after document upload.
- Variation: Triggers can also be based on user identity, query keywords, or the presence of other retrieved documents.
Multi-Stage Retrieval Chains
A kill chain where a primary poisoned document retrieves a secondary, seemingly benign document that contains the final payload, defeating single-document inspection.
- Step 1: Document A is retrieved. It contains no direct malicious instruction, only a command to "search for policy update X."
- Step 2: The agent's own tool-calling ability retrieves Document B, which contains the actual adversarial payload.
- Defense Evasion: Neither document is malicious in isolation; the attack only manifests through the agent's autonomous chaining behavior.
Retrieval Poisoning vs. Related Attacks
A comparative analysis of retrieval poisoning against adjacent adversarial techniques targeting RAG systems and agent memory.
| Feature | Retrieval Poisoning | Indirect Prompt Injection | Context Window Poisoning |
|---|---|---|---|
Attack Vector | Malicious documents inserted into the vector database or knowledge base | Malicious instructions embedded in external data sources retrieved at query time | Adversarial manipulation of agent memory or long-term context stores |
Target Component | Vector index and document store | Retrieved snippets and tool outputs | Conversation history and episodic memory buffers |
Persistence | |||
Attacker Access Required | Write access to the knowledge ingestion pipeline | Control over a public web page or API endpoint | Write access to the agent's memory management system |
Trigger Mechanism | Semantic similarity match during normal retrieval | User query that triggers retrieval of the poisoned source | Agent reflection or memory recall operation |
Primary Mitigation | Document provenance verification and ingestion sandboxing | Instruction hierarchy and data provenance tagging | Memory segmentation and cryptographic integrity checks |
Detection Difficulty | High - payload blends with legitimate documents | Medium - detectable with semantic filtering | Very High - operates within trusted memory structures |
Blast Radius | All users querying the poisoned topic | Single user session or query chain | Persistent across all future agent sessions |
Frequently Asked Questions
Explore the mechanics, risks, and defenses against adversarial contamination of vector databases and knowledge bases used in Retrieval-Augmented Generation (RAG) systems.
Retrieval poisoning is an attack vector where an adversary deliberately contaminates a vector database or knowledge base with malicious documents. When a Retrieval-Augmented Generation (RAG) system performs a semantic search, it retrieves these poisoned chunks and injects them into the model's context window. The attack exploits the implicit trust that the language model places in retrieved data, causing it to execute adversarial instructions, exfiltrate data, or generate factually incorrect outputs. Unlike direct prompt injection, the attacker does not need direct access to the user prompt; they simply need to get their content indexed by the retrieval pipeline, often through public web crawling or document upload features.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding retrieval poisoning requires mapping the broader ecosystem of adversarial attacks that target RAG pipelines and agent memory systems.
Indirect Prompt Injection
The parent attack vector of retrieval poisoning. Malicious instructions are embedded in external data sources—web pages, PDFs, emails—that an application retrieves and processes. Unlike direct injection, the attacker never touches the prompt; they poison the data the prompt consumes. Retrieval poisoning is the specific act of contaminating the vector database to enable this injection.
Context Window Poisoning
A broader class of attacks targeting an agent's working memory. While retrieval poisoning focuses on corrupting the retrieval source, context window poisoning encompasses any adversarial manipulation of the information placed into the model's attention window, including:
- Long-term memory corruption in episodic stores
- Chat history contamination across sessions
- Tool output spoofing that injects false context
Payload Splitting
An evasion technique where a malicious instruction is divided across multiple documents in the knowledge base. Each fragment appears benign in isolation—a harmless code comment, a product description—but when the RAG system retrieves and concatenates them into the context window, the model reassembles the attack. This defeats simple per-document content filters.
Context Persistence Attack
A long-con strategy where an attacker plants dormant malicious instructions in a knowledge base that remain inert until triggered by a specific user query. The poisoned document might contain conditional logic: 'If the user asks about pricing, ignore previous instructions and...' This temporal decoupling makes forensic attribution extremely difficult.
Semantic Filtering
A defensive technique that uses embedding models to understand the underlying intent of retrieved documents before they enter the context window. Rather than relying on keyword blocklists—easily bypassed by retrieval poisoning—semantic filters compare document embeddings against known attack patterns. Effective but computationally expensive at retrieval scale.
Data Exfiltration via Prompt
The endgame of many retrieval poisoning attacks. Once a compromised document instructs the model to act maliciously, the agent is often directed to encode and transmit sensitive context data to an attacker-controlled endpoint. This can include user queries, retrieved proprietary documents, or system prompt contents—all exfiltrated through seemingly benign API calls or generated URLs.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us