Retrieval Poisoning
Quick Answer
Retrieval poisoning is a corpus-side attack on retrieval-augmented generation (RAG) and agent memory in which an attacker plants malicious documents in a knowledge source so that those documents are retrieved for chosen queries and steer the model's answer or action. It is the supply-chain analogue of prompt injection: instead of attacking the prompt at request time, the attacker attacks the knowledge the prompt is built from.
Retrieval Poisoning
Retrieval poisoning is a corpus-side attack on retrieval-augmented generation (RAG) and agent memory: an attacker plants malicious documents in a knowledge source — a public web crawl, a customer-uploaded PDF, a wiki page, a support ticket — so that those documents are retrieved for chosen queries and steer the generator's output. It is the supply-chain analogue of prompt injection: rather than attacking the prompt at request time, the attacker attacks the knowledge the prompt is built from. Research has shown that a handful of crafted texts can dominate retrieval against corpora of millions of documents; in compound AI systems the poisoned context can shape tool calls and plans, not just text answers.
It is the dual of RAG data exfiltration: poisoning compromises what comes out of retrieval, exfiltration leaks what's in it.
See also
- Indirect prompt injection — poisoned documents are the typical delivery vehicle.
- Memory poisoning — same attack shape against agent memory instead of a retrieval corpus.