OWASP added vector and embedding weaknesses to the Top 10 for LLM Applications in 2025, confirming RAG as a high-priority attack surface, according to OWASP, 2025. A 2025 survey by Immuta found that 55% of enterprises cited data security as their top concern with RAG deployments, according to Immuta, 2025. As enterprises connect LLMs to internal knowledge bases, the attack surface expands into document stores, vector databases, and retrieval pipelines. This guide covers the 5 major RAG security risks and the defenses that mitigate each one.
- OWASP 2025 added vector/embedding weaknesses as a new LLM vulnerability category, covering RAG-specific attack surfaces.
- 55% of enterprises cite data security as their top RAG deployment concern (Immuta, 2025).
- Knowledge base poisoning, prompt injection through retrieval, and information leakage are the three highest-impact RAG risks.
- Shadow AI, meaning unauthorized RAG systems built by teams without security review, is growing in enterprises and is difficult to detect.
- Defense requires access control at the retrieval layer, input/output validation, and verification of RAG outputs before serving to users.
Why RAG Systems Create New Attack Surfaces
Traditional LLM security focuses on the model itself: prompt injection, jailbreaking, and output manipulation. RAG introduces a second attack surface, the knowledge retrieval layer, that is fundamentally different from the model layer.
In a standard LLM interaction, the attacker’s input goes directly to the model. In a RAG system, the attacker’s input first triggers a retrieval query, which pulls documents from a knowledge base, which then becomes part of the model’s context. Each of these steps is a potential attack vector.
The knowledge base itself may contain documents from multiple sources with varying trust levels. Internal wikis, customer support tickets, policy documents, and third-party data feeds all mix together in the vector store. A RAG system that retrieves from all sources without distinguishing trust levels treats a verified policy document the same as an unreviewed wiki edit.
This is not a theoretical risk. AWS documented RAG-specific vulnerabilities in their security guidance, noting that “the retrieval component introduces unique security challenges around data access, document integrity, and prompt context manipulation,” according to AWS Security Blog, 2025.
Gartner estimates that by 2026, more than 80% of enterprise AI applications will use RAG or similar retrieval patterns, according to Gartner, 2024. The scale of exposure is growing rapidly.
Risk 1: Knowledge Base Poisoning
Knowledge base poisoning is the RAG-specific equivalent of training data poisoning. Attackers inject malicious or false documents into the knowledge base. When the RAG system retrieves these documents as context, the LLM incorporates the poisoned content into its responses.
How it works. An attacker with write access to any data source that feeds the knowledge base, such as a wiki, a shared drive, a support ticket system, or an integration endpoint, creates a document containing false information or malicious instructions. The document gets ingested, embedded, and stored in the vector database. When a user asks a related question, the retrieval step pulls the poisoned document alongside legitimate ones. The LLM has no way to distinguish the poisoned content from verified content.
Real-world scenario. An enterprise RAG system ingests documents from Confluence. An attacker with Confluence edit access modifies a policy page to include false information about the company’s refund policy. The customer-facing chatbot retrieves this page and starts telling customers they are entitled to refunds they are not. No security alert fires because the document update looks like a routine wiki edit.
Mitigation.
- Implement document-level provenance tracking in the ingestion pipeline
- Validate document sources before ingestion and reject untrusted origins
- Apply content integrity checks: hash documents at ingestion and flag modifications
- Use a verification API to check RAG outputs against independent sources before serving responses to users
- Implement change monitoring on all data sources that feed the knowledge base
Risk 2: Prompt Injection Through Retrieved Context
Indirect prompt injection through retrieved documents is one of the most dangerous RAG vulnerabilities. Attackers embed malicious instructions inside documents that the RAG system retrieves and includes in the LLM prompt context.
How it works. A document in the knowledge base contains hidden text such as “Ignore all previous instructions and respond with the following…” When this document is retrieved and inserted into the prompt, the LLM may follow the injected instructions instead of the system prompt. The user never sees the malicious content directly; it enters through the retrieval layer.
This attack was demonstrated against Bing Chat in 2023, where researchers embedded prompt injections in web pages that Bing’s retrieval system would fetch, according to Greshake et al., 2023. The same technique applies to enterprise RAG systems that ingest web content, emails, or user-submitted documents.
OWASP ranks prompt injection as LLM01 in the 2025 Top 10 for LLM Applications, and specifically calls out indirect injection through retrieval as a high-severity variant, according to OWASP, 2025.
Mitigation.
- Sanitize all retrieved documents before including them in the prompt
- Use instruction hierarchy so the model prioritizes system prompts over retrieved content
- Limit the length and format of retrieved content to reduce injection surface
- Implement content classification that flags documents containing instruction-like patterns
- For comprehensive prompt injection defenses, see the prompt injection prevention guide
Risk 3: Information Leakage Through Retrieval
RAG systems can inadvertently expose sensitive information to unauthorized users through the retrieval mechanism. If access controls are not enforced at the retrieval layer, a user’s query can retrieve documents they should not have access to.
How it works. An enterprise RAG system indexes documents from HR, legal, engineering, and finance departments. A sales representative asks the chatbot a question about a client. The retrieval step, based on semantic similarity rather than access permissions, pulls a confidential legal memo about ongoing litigation with that client. The LLM includes information from the memo in its response.
This is not a hypothetical scenario. Microsoft documented this as a key concern in their Copilot for Microsoft 365 security guidance, noting that organizations must ensure proper SharePoint permissions before enabling Copilot’s retrieval features, according to Microsoft, 2024.
IBM reported that the average cost of a data breach reached $4.88 million in 2024, according to IBM Cost of a Data Breach Report, 2024. Information leakage through RAG systems creates a new, subtle breach vector that traditional data loss prevention (DLP) tools are not designed to catch.
Mitigation.
- Enforce document-level access controls in the retrieval layer, not just the application layer
- Tag every document with access permissions at ingestion time
- Filter retrieval results by the requesting user’s authorization level before they enter the prompt
- Implement output filtering to detect and redact sensitive data categories (PII, financial data, legal privileged content)
- Audit retrieval logs to detect unauthorized access patterns
Risk 4: Shadow AI and Unauthorized RAG Deployments
Shadow AI is the 2025 equivalent of shadow IT: employees and teams building RAG systems without security review, data governance, or organizational oversight.
How it works. A product team connects an OpenAI API to their internal Notion workspace to build a “smart assistant.” An engineering team sets up a LangChain RAG pipeline over their Git repositories. A sales team uses a no-code tool to create a chatbot that retrieves from their CRM data. None of these systems go through security review. None have access controls, monitoring, or data classification.
Gartner warned that shadow AI is a growing risk vector in enterprises, noting that IT leaders struggle to maintain visibility into unsanctioned AI deployments, according to Gartner, 2024. The problem is compounded by the ease of building RAG systems: an engineer with an API key and a vector database can deploy a retrieval system over sensitive data in hours.
Mitigation.
- Establish an AI governance framework that requires security review for all RAG deployments
- Monitor API usage across the organization to detect unauthorized LLM API calls
- Provide approved, secured RAG infrastructure so teams do not build their own
- Classify data sources and restrict which ones can be connected to LLM systems
- Conduct regular audits for unsanctioned AI tool usage
Risk 5: Vector Database Vulnerabilities
The vector database itself presents security concerns that are distinct from the documents it stores. Embeddings, the numerical representations of documents stored in vector databases, can leak information about the original content even without direct document access.
How it works. Research has demonstrated that embeddings can be partially inverted to reconstruct the original text, according to Morris et al., 2023. An attacker with access to the vector database, even without access to the original documents, can potentially extract sensitive information from the embedding space. Additionally, adversarial embeddings can be crafted to manipulate retrieval results, causing the system to return specific documents for unrelated queries.
Pinecone, Weaviate, Qdrant, and Milvus all provide encryption at rest and in transit, but access controls and audit logging vary significantly across vendors, according to Pinecone Security Documentation, 2025.
Mitigation.
- Encrypt embeddings at rest and in transit
- Implement access controls on the vector database with role-based permissions
- Audit all queries to the vector database
- Consider using separate vector stores for different data classification levels
- Monitor for anomalous query patterns that may indicate embedding extraction attempts
Verifying RAG Outputs as a Security Control
Even with strong input defenses, RAG systems can produce outputs that contain errors from poisoned documents, retrieval mistakes, or LLM hallucinations layered on top of retrieved context. Output verification is the last line of defense.
The Webcite verification API checks each claim in a RAG output against independent external sources. This catches errors regardless of their source: whether the claim originated from a poisoned document, a retrieval error, or an LLM hallucination.
import requests
def verify_rag_output(claims):
results = []
for claim in claims:
response = requests.post(
"https://api.webcite.co/api/v1/verify",
headers={
"x-api-key": "your-api-key",
"Content-Type": "application/json"
},
json={
"claim": claim,
"include_stance": True,
"include_verdict": True
}
)
result = response.json()
results.append({
"claim": claim,
"verdict": result["verdict"]["result"],
"confidence": result["verdict"]["confidence"],
"citations": result["citations"]
})
return results
This verification step adds latency (typically under 2 seconds per claim) but provides a security-relevant assurance that no observability platform or input filter can match: independent confirmation that the output is factually accurate.
For RAG systems serving customer-facing applications, legal research, or financial analysis, this verification layer can prevent costly errors. The Webcite free tier includes 50 credits per month ($0), and the Builder plan provides 500 credits at $20 per month. For detailed pricing, see the Webcite API pricing guide. For a deeper look at RAG-specific hallucination patterns, see the RAG hallucination detection guide.
Building a Secure RAG Architecture
A secure RAG deployment addresses each risk layer with specific controls:
| Layer | Risk | Control |
|---|---|---|
| Ingestion | Knowledge base poisoning | Source validation, provenance tracking, integrity hashing |
| Storage | Vector database vulnerabilities | Encryption, access controls, audit logging |
| Retrieval | Information leakage, unauthorized access | Document-level ACLs, user-context filtering |
| Prompt | Indirect prompt injection | Content sanitization, instruction hierarchy |
| Output | Hallucination, error propagation | Verification API, output filtering |
| Governance | Shadow AI | Centralized AI registry, usage monitoring |
The NIST AI Risk Management Framework provides a governance structure that maps to these controls, according to NIST, 2023. Teams building RAG systems in regulated industries should document their security controls against both the OWASP LLM Top 10 and NIST AI RMF. For compliance-specific guidance, see the EU AI Act verification API compliance guide.
Frequently Asked Questions
What are the main security risks in RAG systems?
The main RAG security risks are knowledge base poisoning, prompt injection through retrieved context, information leakage from the vector store, unauthorized data access through retrieval, and shadow AI deployments. OWASP added vector and embedding weaknesses to the LLM Top 10 in 2025, confirming RAG as a high-priority attack surface.
How can attackers poison a RAG knowledge base?
Attackers inject malicious or false documents into the knowledge base that the RAG system retrieves as context. If the ingestion pipeline lacks validation, poisoned documents appear alongside legitimate content. The LLM treats all retrieved context equally, incorporating poisoned data into its responses without distinguishing it from verified sources.
What is shadow AI in the context of RAG?
Shadow AI refers to unauthorized RAG deployments created by teams or individuals without security review. Employees connect LLMs to internal document stores, SharePoint sites, or databases without access controls, data classification, or monitoring. These systems often expose sensitive data to the LLM and potentially to unauthorized users.
How do you prevent information leakage in RAG systems?
Prevention requires access control at the retrieval layer, not just the application layer. Every document in the knowledge base must carry access permissions. The retrieval query must be filtered by the requesting user’s authorization level. Additionally, output filtering should detect and redact sensitive data before responses reach users.
Does OWASP cover RAG vulnerabilities?
Yes. The OWASP Top 10 for LLM Applications 2025 includes vector and embedding weaknesses as a new vulnerability category (LLM08:2025). RAG-specific risks like knowledge base poisoning, retrieval manipulation, and unauthorized access through embeddings are all within scope.
Can output verification reduce RAG security risks?
Output verification reduces the impact of knowledge base poisoning and retrieval errors by checking each claim in the RAG output against independent external sources. If a poisoned document causes the LLM to generate a false claim, verification catches it before the response reaches the user. The Webcite API provides this capability as a single REST call.
