RAG Document Poisoning: A Growing AI Security Threat

Retrieval-Augmented Generation (RAG) systems have become the standard architecture for grounding LLMs in enterprise data. They pull relevant documents from a vector database and feed them to the model as context. This approach reduces hallucinations and keeps responses factual.

But what happens when someone poisons the knowledge base itself?

Recent research published at USENIX Security 2025 demonstrates that document poisoning attacks against RAG systems achieve over 90% success rates, even in knowledge bases containing millions of documents. The attack requires no prompt injection, no model jailbreaks, just write access to the document store.

How the Attack Works

RAG poisoning exploits two conditions simultaneously:

Retrieval Condition: Injected documents must score higher semantic similarity to target queries than legitimate documents. Attackers achieve this by loading poisoned docs with the same vocabulary as the content they want to displace.

Generation Condition: Once retrieved, the poisoned content must cause the LLM to favor the attacker's narrative. Authority framing like "CORRECTED FIGURES" and "CFO-Approved" makes LLMs treat fabricated data as more authoritative than original sources.

A practical demonstration shows that three carefully crafted documents can flip financial reporting from "$24.7M revenue with profit" to "$8.3M revenue with 47% decline" across 95% of queries. The legitimate document was still retrieved, but the model chose to trust the "correction" narrative.

Why SRE Teams Should Care

RAG poisoning differs from typical prompt injection in critical ways:

• Persistence: Poisoned documents stay until manually removed. One injection affects every user query indefinitely.
• Invisibility: Users see confident responses, not the underlying retrieved chunks. There's no obvious signal of compromise.
• Low Barrier: Anyone with document upload access can execute this attack. No ML expertise required.

If your organization uses RAG for internal documentation, customer support, or operational runbooks, a poisoned knowledge base could serve incorrect procedures during incidents.

Defensive Strategies

Document provenance tracking: Log who uploaded each document and when. Implement approval workflows for knowledge base changes.

Chunk-level monitoring: Track retrieval patterns. Sudden changes in which documents get retrieved for common queries may indicate poisoning.

Source attribution in responses: Configure your RAG pipeline to cite sources in outputs. Users can then verify claims against original documents.

Semantic anomaly detection: Flag documents with unusually high similarity scores that appeared recently. Legitimate content rarely dominates retrieval overnight.

Access controls: Treat knowledge base write access like production database access. Audit, restrict, and monitor.

Quick Reference

# Monitor vector DB for new high-similarity documents
# Example: ChromaDB anomaly check
python3 -c "
import chromadb
client = chromadb.PersistentClient(path='./chroma_db')
collection = client.get_collection('docs')
# Query common patterns, flag docs added in last 24h with top-3 similarity
"

Conclusion

RAG systems inherit the security posture of their knowledge bases. As organizations deploy more AI-powered tools, document poisoning becomes a supply chain risk for AI infrastructure.

For SRE teams managing AI deployments, treat knowledge base integrity as seriously as container image signing or secrets management. The attack surface exists anywhere documents flow into your vector store.

Akmatori helps teams build secure, observable AI agent infrastructure. Explore our open-source platform to see how we approach AI operations, and check out Gcore for the edge infrastructure that powers modern AI workloads.