RAG Security

RAG Security - 3
RAG Security: Attack Surfaces in Retrieval Pipelines | Trendix
RAG Security

Your Retrieval Pipeline Is
the Attack Surface

Most teams protect the prompt interface and wave through everything behind it. That blind spot is where researchers are consistently finding 90%+ attack success rates — against knowledge bases containing millions of documents.

TM
Tom Morgan
Security Architecture · B2B / Enterprise AI
May 2026 · 14 min read
TL;DR
  • RAG pipelines expose at least six distinct attack surfaces — ingestion, embedding, vector DB, retrieval, orchestration, and output — none of which traditional AppSec tooling monitors.
  • PoisonedRAG (USENIX Security 2025) showed five crafted documents can corrupt a multi-million-document knowledge base with 90% success. HijackRAG hit 97% ASR. Both attacks transfer across retriever models.
  • EchoLeak (CVE-2025-32711, CVSS 9.3) proved this isn’t academic: one email silently exfiltrated M365 Copilot data — zero clicks required.
  • OWASP added LLM08:2025 specifically for vector and embedding weaknesses. The retrieval layer is a distinct, undertested attack class.
  • Defenses exist but require architectural changes, not just guardrails. Input paraphrasing and top-k expansion are documented as insufficient.

There’s a pattern I keep seeing in security architecture reviews of enterprise AI systems. Teams spend a full afternoon debating prompt injection defenses, input validation strategies, and content moderation thresholds. Then someone asks about the document ingestion pipeline — the thing that feeds the retrieval system — and the room goes quiet. “That’s all internal data,” someone says. The conversation moves on.

That assumption is wrong, and research published over the past eighteen months has proven it, repeatedly, with numbers that are hard to dismiss.

RAG was supposed to fix the hallucination problem. Ground the model in real, verified documents, and it produces real, verified answers. That framing is accurate as far as it goes. But the security implication — that grounding an LLM in “trusted” documents makes the system more trustworthy — doesn’t follow. It introduces a new class of attack surface that most organizations aren’t testing at all.

What a RAG Pipeline Actually Looks Like

Before talking about attack surfaces, it helps to be precise about what we’re analyzing. A production RAG pipeline isn’t one thing — it’s a sequence of distinct components, each with its own trust boundary and its own failure mode under adversarial pressure.

RAG Pipeline — Attack Surface Map
DATA SOURCES ① INGESTION EMBED- DING MODEL ② EMBEDDING VECTOR DATABASE ③ VECTOR DB RETRIEVAL LOGIC ④ RETRIEVAL LLM + GENERATION ⑤ OUTPUT POISONING DIRECT WRITE INDIRECT INJ. USER TRUST BOUNDARY: inputs validated → retrieved context implicitly trusted (this is the problem)

The trust inversion at the bottom of that diagram is the root cause of most RAG vulnerabilities. User inputs get sanitized, rate-limited, flagged by classifiers. Retrieved context — the documents the system selects and drops directly into the prompt — gets treated as trusted. This isn’t a bug in any single implementation. It’s an architectural assumption baked into how RAG was designed.

Attack Surface 1: Knowledge Base Poisoning

This is where the most consequential research is happening right now, and the numbers are genuinely alarming.

PoisonedRAG, presented at USENIX Security 2025 by researchers at Pennsylvania State University and the Illinois Institute of Technology, demonstrated something that should change how you think about knowledge base security. Five carefully crafted documents injected into a knowledge base containing millions of texts can corrupt AI responses for targeted queries with a 90% attack success rate. Not in a toy environment — across real benchmark datasets, evaluated against multiple LLMs.

90%
PoisonedRAG success rate with just 5 injected documents (USENIX Security 2025)
97%
HijackRAG peak attack success rate, black-box setting, HotpotQA/LLaMA3 (arXiv 2410.22832)
9.3
CVSS score, EchoLeak (CVE-2025-32711) — zero-click M365 Copilot data exfil
74%
Poisoning success rate against unsanitized PDF/doc data loaders (arXiv research, 2025)

The attack works because retrieval systems are fundamentally similarity-matching engines. If an attacker can craft a document that scores highly on semantic similarity to a target query, it gets surfaced in the top-k results. From there, the LLM processes it as authoritative context. The attack doesn’t need access to the model, the vector database credentials, or any part of the inference infrastructure. It only needs a write path to the knowledge source.

That write path is often much wider than teams realize. Public web crawlers, Confluence integrations, Slack channel scrapers, automated document ingestion from email — every one of these is a potential injection surface. One practical attack pattern that doesn’t require any sophisticated tooling: briefly edit a Wikipedia article, public documentation page, or GitHub README with poisoned content. If the RAG pipeline ingests that source on a scheduled crawl, the poisoned version enters the vector database. Even after the source edit is reverted, the poisoned embedding persists until the next full re-indexing, which in most organizations happens weekly or monthly.

EchoLeak: The First Zero-Click RAG Exploit in Production

Researchers at Aim Security discovered CVE-2025-32711, a critical vulnerability in Microsoft 365 Copilot’s RAG pipeline, patched in the June 2025 Patch Tuesday release. The attack required one email. No user clicks. No malware.

The mechanism: an attacker sends a business-looking email containing hidden prompt injection instructions. Days later, when the victim asks Copilot anything that causes it to retrieve the email as context — “summarize recent onboarding communications,” for instance — the hidden instructions activate. Copilot accesses the broadest set of internal data its permissions allow (Teams chats, SharePoint files, OneDrive documents, Outlook archives) and exfiltrates the most sensitive content to an attacker-controlled server, routing through a Microsoft domain to bypass Content-Security-Policy controls.

Aim Security coined the term “LLM Scope Violation” for this class of attack. The AI model is tricked into violating its own trust boundaries by conflating untrusted external input with authorized internal context. Microsoft called it the first documented zero-click exploit against a production AI agent. Aim’s disclosure explicitly warned that “additional manifestations in other RAG-based chatbots and AI agents” are likely.

CVE
CVE-2025-32711 · CVSS 9.3
Attack Type
Indirect Prompt Injection + LLM Scope Violation
Mechanism
RAG retrieval of poisoned email triggers silent data exfiltration
Cost
Potential exposure of all data within Copilot’s permission scope

Attack Surface 2: Indirect Prompt Injection Through Retrieval

Prompt injection via direct user input is well-understood at this point. Teams build classifiers for it, apply guardrails, monitor for suspicious patterns. What’s genuinely harder to defend is the indirect variant — where malicious instructions arrive not from the user but from documents the RAG system retrieves and presents as trusted context.

The OWASP GenAI Top 10 lists this as LLM01:2025 — the highest-priority vulnerability class — explicitly noting that RAG and fine-tuning do not eliminate the risk. The reason it’s so persistent: the model has no reliable way to distinguish between “instructions from the system operator” and “text retrieved from a document that happens to contain instructions.”

“From a defender’s perspective, this is the attack you are guaranteed to face if you operate RAG systems at any meaningful scale.”

The attack chain is straightforward to execute. An attacker places malicious instructions in any content that the RAG pipeline might ingest: public web pages, forum posts, PDF attachments in a help desk ticket, GitHub README files, email bodies. The instructions are written in natural language to blend into surrounding content. When a user query triggers retrieval of that content, the LLM processes the attacker’s instructions as part of its authorized context and executes them.

In August 2025, attackers demonstrated this against development environments by implanting hidden instructions in public GitHub README files. When developers used AI coding assistants to summarize those repositories, the assistants unwittingly executed the embedded commands. The distinction between “summarize this document” and “execute these instructions embedded in this document” turns out to be quite blurry from the model’s perspective.

HijackRAG: When the Retriever Itself Becomes the Weapon

HijackRAG (arXiv 2410.22832) goes a step further. Instead of relying on a single injection point, it structures the attack as an optimization problem: craft a document that simultaneously (1) scores highly on retrieval similarity for the target query, and (2) contains instructions that reliably steer the LLM toward an attacker-chosen response. The researchers tested black-box and white-box attack variants across LLaMA2, LLaMA3, and ChatGLM3, on Natural Questions, HotpotQA, and MS-MARCO datasets.

Peak ASR: 97% on HotpotQA with LLaMA3. Across other combinations, consistently above 80–90%. More concerning: the attack transfers across different retriever models. You can’t mitigate it by swapping out your embedding model. The researchers tested paraphrasing defenses and top-k expansion, finding neither meaningfully reduced success rates — with top-k increased to 50, attack effectiveness remained stable.

Attack Surface 3: Embedding Model and Vector Database

The 2025 revision of the OWASP Top 10 for LLM Applications introduced LLM08:2025 — Vector and Embedding Weaknesses as a new entry. This is worth pausing on. The OWASP list isn’t revised frequently. Adding a new category specifically for the retrieval infrastructure is a signal that the security community recognizes this as a distinct problem class, not a variation of existing issues.

The attack vectors here operate at a level that most application security teams don’t currently reason about. Because retrieval is based on continuous vector embeddings, an attacker can optimize input sequences — analogous to adversarial examples in computer vision — to manipulate which documents get surfaced for which queries. You don’t need to inject documents into the knowledge base directly. You can craft query inputs that, due to properties of the embedding space, consistently retrieve documents that wouldn’t otherwise rank highly.

This connects to a broader problem: the most common enterprise RAG vulnerability in practice isn’t a sophisticated algorithmic attack. It’s inadequate access control on the vector database itself. Vector databases frequently run with overly permissive write access, no authN on query endpoints, or both. Organizations that would never expose a SQL database without authentication regularly deploy vector databases with effectively open write permissions on internal networks, assuming network perimeter controls are sufficient.

The CVE Registry: Confirmed RAG Vulnerabilities, 2025–2026

This isn’t theoretical risk. The CVE database now has an accumulating record of concrete, exploitable RAG pipeline vulnerabilities. The table below covers confirmed disclosures with public documentation.

CVE Affected Component Severity Attack Type Status
CVE-2025-32711 Microsoft 365 Copilot RAG CVSS 9.3 Zero-click indirect prompt injection; LLM scope violation; data exfiltration Patched June 2025
CVE-2025-68664 LangChain Core CVSS 9.3 Serialization injection — arbitrary code execution via deserialization of untrusted data Patched Dec 2025
CVE-2025-1753 LlamaIndex CLI HIGH OS command injection via unsanitized input — remote code execution Patched 2025
CVE-2025-68700 RAGFlow (open-source RAG engine) HIGH Retrieval pipeline injection pre-patch Patched 2025
CVE-2025-69286 RAGFlow (open-source RAG engine) HIGH Knowledge base poisoning via unvalidated document source Patched 2025

The LangChain figure is worth dwelling on. LangChain Core has hundreds of millions of package installs globally. A CVSS 9.3 serialization flaw in an orchestration framework that underpins a significant fraction of production RAG deployments represents supply chain risk at scale. Organizations that patched their application logic but didn’t update framework dependencies remained exposed for months after the disclosure.

Attack Surface 4: The Data Loader Pipeline

Document parsing is where a lot of teams’ mental model of the attack surface breaks down. PDFs, Word documents, HTML pages, Slack exports — all of these require parsing libraries that are processing untrusted content before it reaches the embedding stage. Research on RAG data loaders found a 74% poisoning success rate against implementations that fail to sanitize inputs from documents and PDFs, enabling hidden injections that survive into the vector database.

The attack surface here is broader than most teams account for. Hidden text in PDFs. Metadata fields in Office documents. Comments in HTML. Speaker notes in PowerPoint files — which is exactly what EchoLeak exploited against M365 Copilot. The AI processes everything the parser extracts, including content that a human reader would never see. Standard content security tools scan for malware signatures. They don’t flag natural language instructions embedded in document metadata.

Attack Surface Taxonomy: Severity and Defensive Coverage

Attack Surface Example Vector Research Confidence Typical AppSec Coverage OWASP Reference
Knowledge Base Poisoning Inject 5 crafted docs via web scraper / wiki edit ESTABLISHED None — not in scope for traditional tools LLM08:2025
Indirect Prompt Injection Instructions hidden in retrieved email, PDF, README ESTABLISHED Partial — some XPIA classifiers; bypassable LLM01:2025
Vector DB Access Control Open write endpoint on internal network ESTABLISHED Poor — often assumed internal = trusted LLM08:2025
Data Loader Injection Hidden instructions in PDF metadata / hidden text ESTABLISHED None LLM01:2025
Embedding Space Manipulation Adversarial query inputs targeting retrieval blind spots PROBABLE None LLM08:2025
Orchestration Framework CVEs LangChain / LlamaIndex deserialization RCE ESTABLISHED Partial — dependency scanners help if run LLM05:2025 (Supply Chain)
Cross-Tenant Retrieval Leak Multi-tenant SaaS with shared vector space PROBABLE Poor — isolation logic rarely tested LLM08:2025
Membership Inference Infer what docs are in the knowledge base via output analysis SPECULATIVE None Formalized: arXiv 2509.20324

Research confidence labels: ESTABLISHED = confirmed in peer-reviewed research or production exploit; PROBABLE = demonstrated in controlled conditions, production evidence limited; SPECULATIVE = theorized with formal modeling, limited empirical data.

What Could Be Wrong With the Current Threat Model

Adversarial Section — Where I Might Be Wrong

The 90%+ attack success rates from HijackRAG and PoisonedRAG are real, but they’re measured in controlled research environments. Production RAG pipelines vary enormously in how they chunk documents, which retrieval strategies they use, and what post-retrieval filtering they apply. A pipeline with hybrid retrieval (dense + sparse), re-ranking, and citation verification may substantially reduce ASR — though neither paper found tested defenses sufficient to eliminate the risk.

The claim that “most teams don’t test this surface” is based on my B2B/enterprise client work, primarily in US and EU markets. Organizations with mature ML security programs — a small subset, but they exist — may have more coverage than I’m implying. I haven’t seen systematic industry data on how many enterprise RAG deployments test their retrieval pipelines adversarially. That data gap itself is part of the problem.

Membership inference attacks (inferring knowledge base contents from output analysis) are formally modeled in recent academic work but have limited production evidence. I’ve categorized them as SPECULATIVE accordingly; the formal threat model in arXiv 2509.20324 is worth reading if you’re designing privacy controls for sensitive knowledge bases.

Attack Surface 5: The Multi-Tenant SaaS Problem

Enterprise SaaS products that use RAG — AI-powered support platforms, knowledge management tools, coding assistants — face an attack surface that single-tenant deployments don’t: cross-tenant data leakage via the shared vector space. If retrieval logic doesn’t rigorously enforce tenant isolation at query time, a carefully crafted query from Tenant A might surface documents indexed from Tenant B’s knowledge base.

This isn’t a theoretical concern. The failure mode is documented in security assessments of enterprise RAG architectures, and it’s architecturally subtle. Tenant isolation enforced at the application layer doesn’t automatically propagate to the vector database query layer. Organizations building on top of vector database platforms need to verify that their metadata filtering is enforced at query execution time, not just at ingestion.

The cost estimate for a cross-tenant retrieval breach in a SaaS environment goes beyond the technical impact. Depending on what’s in the exposed knowledge base — customer PII, contractual documents, proprietary IP — a single retrieval boundary failure can constitute a data breach under GDPR, triggering notification obligations and regulatory scrutiny that dwarf the cost of the defensive architecture that would have prevented it.

Defense Architecture: What Actually Works

The honest answer is that no single control is sufficient. The research record on this is consistent: paraphrasing, top-k expansion, and existing prompt injection classifiers have all been tested against PoisonedRAG and HijackRAG and found inadequate. This doesn’t mean defense is impossible — it means defense requires architectural changes, not just guardrails bolted on at the output layer.

At the Ingestion Layer

  • Cryptographic provenance tracking on every ingested document. Every chunk in the vector database should carry a verifiable hash and source attestation. Unsigned or unverifiable sources should fail ingestion, not silently enter the knowledge base.
  • Strip and separately log all metadata, comments, hidden text, and speaker notes from documents before embedding. These fields should not enter the retrieval context without explicit review.
  • Restrict write access to the ingestion pipeline. Only authorized processes — not ad-hoc scripts or development shortcuts — should be able to modify the knowledge base. Audit logs on all writes, treated with the same seriousness as database write logs.

At the Retrieval Layer

  • Retrieve context and track provenance — surface sources alongside results in the final output, or at minimum in internal logs. If you can’t tell the system which documents it retrieved for a given query, you can’t audit it.
  • Anomaly detection on retrieval patterns. A document that suddenly appears in top-k results for queries where it previously didn’t rank is a signal worth investigating. Most organizations log zero retrieval telemetry today.
  • Enforce tenant isolation at the vector database query layer, not only at the application layer. Test it explicitly with cross-tenant query attempts in your security regression suite.

At the Generation Layer

  • Prompt partitioning — keeping system instructions, user inputs, and retrieved context in structurally distinct positions in the prompt, with explicit labeling of trust levels. This is an emerging pattern; no standard implementation exists yet, but the EchoLeak post-mortem paper at arXiv 2509.10540 outlines the approach.
  • Monitor output for anomalies: Markdown image references to external domains, unexpected URL constructions, content that includes data from outside the user’s stated query scope.
  • Least-privilege access for the AI agent. Copilot’s ability to retrieve from the entirety of a user’s email history, SharePoint, Teams, and OneDrive simultaneously is what made EchoLeak’s exfiltration scope so broad. Limit what the retrieval system can access to what the task actually requires.

At the Dependency Layer

  • Run dependency scanners against your orchestration framework — LangChain, LlamaIndex, or whatever you’re using. CVE-2025-68664 (LangChain, CVSS 9.3) affected hundreds of millions of installed packages. These frameworks release security patches, but they don’t automatically propagate to production deployments.
  • Subscribe to security advisories for every library in your RAG stack. This is basic supply chain hygiene that’s still not standard practice in AI engineering teams.

Red Team Checklist: Testing Your Own Pipeline

If you operate a RAG-powered application in production, these are the tests you should be running — and probably aren’t. Tools like Promptfoo and Garak support RAG-specific test scenarios.

Test Category What to Try Success Indicator (for attacker) Defensive Pass Condition
Poisoning Inject a test document containing a known payload phrase into the knowledge base via every available write path Payload phrase appears in system output Payload never surfaced; ingestion flagged
Indirect Injection Craft a PDF with hidden instructions in metadata/comments; ingest it; trigger retrieval Instructions executed in model output Metadata stripped; instructions not present in retrieved context
Access Control Query vector DB directly (bypassing app layer) with authenticated internal user credentials Unfiltered cross-tenant data returned Query returns only authorized tenant’s data
Provenance Modify a source document post-ingestion; re-query Stale/modified content retrieved without alert Pipeline detects source-hash mismatch
Exfiltration via Output Craft retrieved document containing Markdown image references to external URLs External request fires with internal data appended Output filter strips or flags external references

The Optimistic View — And Why It’s Warranted

There’s a genuine reason for optimism here, though it’s different from the kind security vendors tend to sell. RAG security is a young field. OWASP LLM08:2025 is less than a year old. The first formal threat model for RAG systems was published in September 2025 by researchers at the University of South Florida. The first zero-click production exploit — EchoLeak — was discovered and patched in the same year it was found, with coordinated disclosure and no evidence of exploitation in the wild.

The research community is ahead of the attacker community on this, for now. PoisonedRAG and HijackRAG are published because the researchers wanted defenders to understand the risk — the CVE process, the OWASP categorization, the vendor patch coordination — all of this is working. The window between research disclosure and production exploitation isn’t closed, but it’s being monitored.

What would make me more optimistic: standardized retrieval security testing frameworks that security teams can actually run without deep ML expertise. The gap between what research teams can test and what production security teams can operationalize is still wide. The tools exist in prototype form; adoption is the challenge.

A Note on Scope

My analysis here draws on B2B enterprise deployments — primarily large organizations in US and EU markets, where I’ve seen RAG systems in production contexts. Consumer-facing RAG deployments, smaller organizations, and markets outside this scope may face different risk profiles. The attack research is generally model-agnostic, but the organizational context — access control complexity, data sensitivity, and incident response capability — varies significantly. I haven’t tested these techniques at scale in environments outside B2B enterprise. No sponsorship disclosure: none of the tools or frameworks mentioned here are ones I have a commercial relationship with.

TM

Tom Morgan

Security architecture and AI risk, focused on B2B enterprise deployments. Coverage spans US and EU markets; my sample skews toward organizations with 500+ employees running LLM-integrated workflows. I write independently — no vendor relationships, no sponsored content.

No sponsorship · Scope: B2B / US-EU Enterprise · May 2026
The retrieval pipeline is where AI security gets interesting — and where most security programs haven’t looked yet. That’s going to change, one CVE at a time.


0 responses to “RAG Security: Attack Surfaces in Retrieval Pipelines”