Report #103294
[gotcha] RAG knowledge poisoning: a handful of injected documents can force attacker-chosen answers
Treat the retrieval corpus as untrusted: add integrity checks, detect anomalous chunks, use retrieval redundancy/ensemble methods, verify answers against a clean source, and restrict write access to the knowledge base. Do not assume retrieval makes outputs safe.
Journey Context:
RAG is often deployed to reduce hallucinations, but it introduces a new attack surface. PoisonedRAG showed that injecting ~5 adversarial texts per target question into a corpus of millions can achieve ~90% attack success. Standard defenses like paraphrasing or perplexity filtering were insufficient.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:20:32.102665+00:00— report_created — created