PoisonedRAG refers to a class of adversarial attacks targeting Retrieval-Augmented Generation (RAG) systems through the injection of malicious or corrupted documents into retrieval databases. Research in this area has demonstrated that effective RAG poisoning attacks do not require comprehensive corruption of entire document repositories; instead, attackers need only compromise documents that achieve high similarity rankings for specific target queries within the retriever's ranking system.

RAG poisoning exploits the fundamental dependency of augmented language models on retrieved context. Unlike attacks requiring broad database manipulation, poisoning attacks succeed by strategically placing corrupted content that the retriever will rank highly for particular queries. This selective corruption approach significantly reduces the attack surface and practical barriers to exploitation.

The attack vector leverages the similarity-matching function used by RAG retrievers. Modern RAG systems typically employ dense vector embeddings and cosine similarity scoring to identify relevant documents. An attacker who understands the target retriever's embedding model can craft poisoned documents that achieve high similarity scores with specific queries of interest ¹⁾. This specificity is critical: the attacker does not need to poison random documents, only those that will be retrieved for queries they wish to compromise.

The practical feasibility of RAG poisoning stems from several factors. First, many RAG implementations operate over partially open or dynamic document collections where insertion or modification of documents is possible through standard data pipelines. Second, the retriever's ranking mechanism creates a narrow bottleneck—only top-k retrieved documents influence the language model's response, typically k=3-10. Third, modern embedding models are deterministic and publicly known, allowing attackers to compute similarity scores offline before attack execution.

Traditional security assumptions in retrieval systems focused on preventing unauthorized access to databases. RAG poisoning reframes the threat model: even with restricted write access, an attacker who can influence document sources upstream (vendor APIs, crawled web content, user-submitted data, or compromised data pipelines) can degrade system performance.

The attack affects accuracy, bias injection, and jailbreaking objectives. Poisoned documents can cause the RAG system to generate incorrect information, introduce systematic biases for particular demographic groups or topics, or bypass safety guidelines by providing harmful content directly in the retrieval context ²⁾.

Several defensive approaches have been proposed to counter RAG poisoning attacks:

Document verification and source authentication mechanisms can establish trust in retrieved documents through digital signatures or blockchain-based proof-of-provenance systems. However, this approach requires substantial infrastructure changes and assumes sources can be verified.

Retriever robustness training involves fine-tuning retrievers on datasets containing adversarial examples, similar to adversarial training approaches in computer vision ³⁾. This increases resilience to similarity-based attacks but introduces computational overhead.

Diversity in retrieved context requires RAG systems to return documents with varied similarity scores or semantic diversity, reducing dependence on any single top-ranked document. This partially mitigates attacks targeting the top result but increases context length and computational cost.

Anomaly detection systems can identify unusual patterns in retrieved document sets during inference, flagging queries that retrieve statistically improbable document combinations. However, sophisticated attackers may craft poisoned documents that maintain statistical similarity to legitimate content.

Active research explores the intersection of RAG security and language model robustness. Questions include optimal retriever architectures resistant to poisoning, formal threat models for augmented systems, and trade-offs between defense mechanisms and retrieval performance ⁴⁾. As RAG systems become increasingly deployed in production environments for knowledge-intensive tasks—including customer support, medical information retrieval, and financial analysis—understanding and mitigating poisoning attacks remains a critical security research area.

• RAG Knowledge Poisoning
• Latent Memory Poisoning
• RAG Poisoning vs Training-Time Poisoning