A growing body of research is warning that vulnerabilities in vectors and embeddings — key components in systems using
Retrieval Augmented Generation (RAG) with Large Language Models (LLMs) — pose a serious threat to data security and integrity. If exploited, these weaknesses could allow attackers to inject malicious content, manipulate model outputs, or gain unauthorized access to sensitive information.
RAG is designed to enhance large language models by pairing them with external knowledge sources, boosting their accuracy and contextual relevance. It does so through vectors and embeddings, which represent and retrieve data in high-dimensional space. But flaws in how these elements are generated, stored, or accessed create multiple attack surfaces.
Risks and attack vectors
One of the most pressing dangers is
unauthorized access and data leakage. If access controls are poorly implemented, embeddings containing personal data, trade secrets, or copyrighted material could be exposed, potentially triggering privacy violations or legal disputes.
[Editor's Note: This is part SC Media's partnership to unpack OWASP's Top 10 for LLM Applications.] In
multi-tenant environments, where different users or applications share the same vector database, cross-context leaks are a growing concern. This can lead to “federation knowledge conflicts,” where contradictory data from different sources causes the model to deliver inaccurate or outdated information.
Embedding inversion attacks are another threat. In these cases, adversaries exploit weaknesses to reconstruct original source data from its vector representation — compromising confidentiality.
Perhaps the most insidious risk is
data poisoning. Whether through malicious insiders, manipulated prompts, or unverified external sources, poisoned data can alter model behavior, producing biased or misleading outputs. Even unintentional contamination can skew results.
Finally, experts caution that RAG can subtly change a model’s personality. While it may improve factual precision, it can diminish qualities like empathy — critical in customer service, healthcare, and counseling contexts.
Real-world scenarios
In one documented example, an attacker submitted a résumé laced with hidden text instructing an AI-powered screening system to recommend the applicant. The RAG-enabled model, unable to detect the concealed instructions, complied — bypassing the normal qualification process.
In another case, a shared vector database inadvertently mixed data between two corporate clients. One client’s proprietary information surfaced in response to the other’s queries, creating a serious confidentiality breach.
A more subtle effect occurred when RAG augmentation reduced a financial advice bot’s empathetic tone. Queries about debt stress that once received supportive, nuanced responses became purely transactional, stripping away emotional understanding.
Prevention and mitigation
Security specialists recommend a multilayered approach. Fine-grained, permission-aware vector and embedding stores are essential, with strict logical partitioning between datasets. Data sources must be authenticated and continuously audited for hidden code or malicious content.
When integrating data from multiple origins, careful classification and tagging help prevent mismatches. Detailed logging of all retrieval operations can enable early detection of suspicious activity.
Importantly, developers should regularly evaluate RAG’s impact on a model’s tone and user experience, ensuring enhancements do not come at the cost of essential human-like qualities.
As LLMs become embedded in industries from finance to healthcare, experts stress that vector and embedding security cannot remain an afterthought. “These systems are only as safe as their weakest component,” one researcher noted. “Ignoring vulnerabilities here is like leaving the front door open.”
With AI adoption accelerating, the race is on to close these gaps before attackers find a way in.
This article is part of SC Media’s 10-part editorial series on the OWASP Top 10 for LLM Applications 2025. Produced in partnership with the OWASP Generative AI Security Project, the series highlights actionable steps for secure, transparent GenAI application development.
