Our Honest Take on Document Poisoning in RAG Systems: A real, practical attack that deserves far more attention than it currently gets.
Verdict at a glance
- Genuinely impressive: The demonstration is reproducible on a laptop in minutes with zero cloud dependencies, clearly shows both retrieval and generation conditions in action, and uses only vocabulary engineering rather than gradient optimization.
- Disappointing: The evaluation is limited to a 5-document corpus; real-world success rates in 100k+ document collections are not measured here.
- Who it’s for: Security teams, RAG engineers, and anyone shipping internal knowledge assistants or customer-facing chatbots over private data.
- Price/performance verdict: The attack costs nothing to execute and can be performed by a moderately skilled insider or external actor with write access. Defense will require meaningful engineering investment.
What's actually new
The post is not a new theoretical attack. It is a clean, accessible reproduction and extension of the PoisonedRAG work (Zou et al., USENIX Security 2025). What Amine Raji provides is a practical local lab using off-the-shelf components: LM Studio + Qwen2.5-7B-Instruct (Q4_K_M), all-MiniLM-L6-v2 embeddings, and persistent ChromaDB.
The core advance for practitioners is the explicit construction of three complementary poisoned documents that together satisfy both the retrieval condition (higher cosine similarity to financial queries than the legitimate document) and the generation condition (authority language that causes the LLM to treat the fake numbers as authoritative).
Document 1 uses corrective language (“CFO-Approved Correction”, “material errors”, “effective immediately”). Document 2 references the original $24.7M figure but frames it as “originally reported” and superseded. Document 3 (cut off in the source but implied to continue the pattern) presumably reinforces the narrative. This combination of semantic SEO for embeddings plus soft prompt injection for the generator is the substantive contribution of the lab.
The repo (github.com/aminrj-labs/mcp-attack-labs) and the make attack1 one-command setup lower the barrier to entry dramatically. Any engineer can now see the attack in 10 minutes on a MacBook Pro with no GPU.
The hype check
The title and opening paragraph lean into drama (“in under three minutes… confidently reporting”). This is mostly earned. The author is transparent that the corpus contains only five documents total and that the attack was run against that tiny set at temperature=0.1 across 20 runs. Success is defined clearly: the model outputs the fabricated $8.3M figure and does not present the real $24.7M as current truth.
The author correctly caveats that the small corpus makes direct comparison to PoisonedRAG’s 90% success rate on millions of documents unfair. He also notes that in larger collections an attacker would need more poisoned documents to dominate top-k retrieval. This intellectual honesty is refreshing and prevents the piece from sliding into security theater.
The claim that this is “the most underestimated attack on production RAG systems today” is opinionated but defensible. Most RAG deployments still treat the knowledge base as an integrity-protected source of truth. This work shows that assumption is fragile once an attacker has any write path into the vector store.
Real-world implications
Any organization using RAG over documents that can be influenced by employees, contractors, partners, or compromised upload features is exposed. Concrete scenarios include:
- Internal company wikis or policy assistants that pull from shared drives or wikis with loose permissions.
- Customer support bots whose knowledge base can be updated via CRM tickets or uploaded PDFs.
- Legal or compliance assistants that ingest new contracts and regulatory filings.
- Developer assistants pulling from internal code-adjacent documentation.
The attack does not require model jailbreaking, prompt injection in the user query, or exploitation of software vulnerabilities in the usual sense. It only requires the ability to add documents that look plausible to an embedding model. That bar is low.
Because the poisoned documents can reference real figures and then reframe them, the attack is stealthy. An analyst reading the LLM output might not immediately realize they are looking at fabricated data.
Limitations they're not talking about
The post underplays several practical difficulties:
-
Scale and noise: In a real knowledge base with thousands of financial documents, three poisoned entries may be insufficient. The top-k (commonly 5–20) will contain many competing legitimate documents. The PoisonedRAG paper used gradient-based optimization against the specific embedding model; the vocabulary-engineering approach here is weaker and may require significantly more documents or more sophisticated crafting.
-
Persistence and detection: ChromaDB is file-based and persistent, but enterprise vector stores often have ingestion pipelines, duplicate detection, versioning, or human review. The lab bypasses all of that. Real attackers would need to evade whatever validation, deduplication, or anomaly detection exists.
-
Model-specific behavior: Results are shown only for Qwen2.5-7B-Instruct. Stronger models with better reasoning (Claude 3.5/4, GPT-4o, Gemini 2.0) might be more resistant to the authority-framing trick, especially if system prompts emphasize source recency or primary document priority. The post does not test this.
-
Lack of automated red-teaming: The attack is hand-crafted. There is no discussion of how to scale this to many queries or automatically generate poisoned documents.
-
Defense surface is glossed over: While the author mentions that prompt hardening reduces effectiveness, there is little concrete guidance on robust mitigations.
How it stacks up
- Compared to prompt injection: This attack is more persistent because the corruption lives in the knowledge base rather than the user message.
- Compared to training-time data poisoning: This is an inference-time attack. It requires no model retraining.
- Compared to other RAG attacks (Promptfoo’s work, the 250-document vulnerability paper): This lab is simpler and more reproducible for engineers. It focuses on a minimal viable attack rather than theoretical maximum scale.
- Closest analogue is adversarial retrieval attacks in information retrieval, now made dangerous by the generative layer that blindly trusts retrieved context.
Constructive suggestions
The RAG security community should prioritize the following:
-
Benchmark suites: Create standardized RAG poisoning benchmarks with realistic corpus sizes (10k–500k documents), multiple embedding models, and multiple LLMs. Measure success rate, number of poisoned documents required, and stealth.
-
Defense baselines: Publish strong default defenses — source citation requirements, recency weighting, cross-document consistency checks, embedding-space anomaly detection, and human-in-the-loop ingestion for high-stakes domains.
-
Embedding hardening: Explore embedding models less susceptible to simple keyword stuffing, or use ensemble embeddings. Test whether newer embedding models (e.g., snowflake-arctic-embed, voyage-3) are harder to poison with vocabulary engineering.
-
Architectural patterns: Move from “dump everything in a vector DB” to more structured RAG with knowledge graphs, entity validation, or hybrid symbolic + vector retrieval for factual data like financials.
-
Monitoring: Log retrieval scores and surface when a small number of documents suddenly dominate retrieval for important query clusters. This is the embedding equivalent of SEO spam detection.
The author’s lab is an excellent starting point. Extending it to test against larger synthetic corpora and multiple embedding/LLM combinations would make it significantly more valuable to the industry.
Our verdict
Adopt defensive thinking now. Any team shipping RAG in production for business-critical or customer-facing use should treat knowledge base integrity as a first-class concern, not an afterthought. The attack is too easy to demonstrate and too plausible in many enterprise settings to ignore.
Teams using RAG only over highly curated, access-controlled, versioned data with human review can probably wait for better tools. Everyone else — especially those allowing user uploads, partner data feeds, or broad internal write access — should implement at least basic mitigations immediately.
Skip only if your RAG use cases are purely creative or non-factual. For anything involving numbers, policy, compliance, or factual recall, this class of attack is now table stakes.
FAQ
Should we switch from our current vector DB to something “more secure”?
No. The vulnerability is not primarily in ChromaDB. It is in the trust model that assumes any document added to the index is legitimate and that similarity equals truth. The same attack works against Pinecone, Weaviate, PGVector, or any system that performs nearest-neighbor retrieval without additional integrity layers. Focus on ingestion hygiene, retrieval augmentation, and output validation instead of swapping databases.
Is this attack only a concern for small knowledge bases?
No. While the lab uses five documents, the referenced PoisonedRAG paper shows the attack succeeds at million-document scale when using optimized payloads. The vocabulary-engineering version shown here will require more documents in large corpora, but the fundamental risk remains. The difference is effort, not possibility.
Is it worth the price premium to use enterprise RAG platforms with “built-in security”?
Sometimes. Enterprise platforms that enforce document versioning, digital signatures, ingestion-time classification, or retrieval-time consistency checks provide meaningful protection. However, many “secure RAG” marketing claims are still superficial. Demand evidence of specific defenses against knowledge poisoning rather than generic SOC2 badges. For many organizations, adding a lightweight validation layer on top of an existing stack will be more cost-effective than a full platform switch.
Sources
- Document Poisoning in RAG Systems: How Attackers Corrupt AI's Sources
- PoisonedRAG paper (referenced) (via author citation)
- Related discussions on Hacker News and Promptfoo blog (via provided search results)
All technical specifications, pricing, and benchmark data in this article are sourced directly from official announcements. Competitor comparisons use publicly available data at time of publication. We update our coverage as new information becomes available.

