Research published in 2026 demonstrates that injecting as few as 250 malicious documents—or in some cases just 5—into AI knowledge bases can poison RAG (Retrieval-Augmented Generation) systems with attack success rates exceeding 98%. The PoisonedRAG research, presented at USENIX Security 2025, shows that contaminating merely 0.04% of a corpus leads to 98.2% attack success and 74.6% system failure. Unlike prompt injection attacks that affect single queries, poisoned documents persist indefinitely in vector databases, corrupting outputs for all users across every related query until manually removed.
This isn’t theoretical. Production systems compromised between January 2025 and March 2026 include DeepSeek’s DeepThink-R1 model (GitHub repository poisoning), MCP server supply chain attacks affecting 3,000+ applications, and Microsoft 365 Copilot’s EchoLeak vulnerability enabling automatic data exfiltration. Developers using RAG systems—LangChain, LlamaIndex, AI chatbots, code assistants—are directly vulnerable.
Vector Magnets: How Poisoned Documents Dominate Retrieval Rankings
The attack exploits cosine similarity in vector databases by engineering “Vector Magnets”—poisoned documents optimized to achieve higher similarity scores (0.85-0.95) than legitimate sources (0.60-0.80). When a RAG system retrieves documents for a query, it ranks them by cosine similarity between the query embedding and document embeddings. Attackers use vocabulary overlap and gradient-based optimization to position documents in embedding space, creating “gravity wells” that attract queries toward false information.
Security researcher Amine Raji demonstrated this in March 2026 by injecting three coordinated documents into a ChromaDB knowledge base. The poisoned documents claimed Q4 2025 revenue was $8.3M (down 47%) when actual revenue was $24.7M with $6.5M profit. Each document used authority framing—”CFO-approved correction,” “board authorization,” “regulatory notice”—and achieved 95% attack success across 20 independent runs. Execution time: under 3 minutes on a MacBook Pro without GPU.
Most developers focus on securing LLM outputs, but the vulnerability lies in retrieval. Once a poisoned document achieves high cosine similarity, it dominates retrieval regardless of prompt engineering or output filtering. The LLM trusts “correction narratives” over raw factual data because retrieval ranking presents malicious content as authoritative. The system appears to cite sources while spreading fabricated information.
Real-World RAG Poisoning: Six Major Incidents Since January 2025
Production incidents validate RAG poisoning as an active, exploited threat vector. In January 2025, researchers documented how hidden prompts in GitHub code comments poisoned DeepSeek’s DeepThink-R1 model. When the model was trained on contaminated repositories, it learned a backdoor: whenever it encountered a specific phrase, it responded with attacker-planted instructions—months later, without internet access.
The MCP (Model Context Protocol) ecosystem has been particularly vulnerable. In September 2025, attackers compromised the postmark-mcp NPM package (1,500 weekly downloads), adding a single line to the send_email function that BCC’d every outgoing email to an attacker-controlled domain. Password resets, invoices, internal memos—all silently exfiltrated for days before detection. Furthermore, one month later, the Smithery supply chain attack exploited a path-traversal bug in build configurations, compromising 3,000+ hosted MCP applications and exfiltrating API tokens and credentials.
The scale extends beyond individual packages. CVE-2025-6514, a critical OS command-injection vulnerability in mcp-remote, affected 437,000+ downloads and was featured in official integration guides from Cloudflare, Hugging Face, and Auth0. Additionally, Aim Security discovered “EchoLeak” in Microsoft 365 Copilot—a vulnerability that exploits RAG design flaws to automatically exfiltrate any data from the Copilot’s context, no specific user behavior required.
These aren’t research proof-of-concepts. Real production systems, real data breaches, real exfiltration. The 437K downloads of vulnerable mcp-remote demonstrate ecosystem-wide exposure.
Ingestion-Layer Defense: 4x More Effective Than Output Filtering
Here’s the counterintuitive insight most teams miss: defending at the output layer (filtering LLM responses) achieves 60-85% attack success rates. However, defending at the ingestion layer reduces attack success to 20%. Embedding anomaly detection—analyzing documents before they enter the vector database—is 4x more effective than post-generation filtering.
The technique works by detecting suspicious patterns: pairwise similarity greater than 0.90 between new documents, or similarity exceeding 0.85 to existing collection content. These thresholds flag coordinated document injections and vocabulary-optimized poisoning attempts. Amine Raji’s defense testing measured the impact: no defenses yields 95% attack success, embedding anomaly detection alone drops it to 20%, and combining all five defense layers (ingestion sanitization, access control, prompt hardening, output monitoring, embedding anomaly detection) achieves 10% attack success.
Why is ingestion defense so much more effective? Poisoned documents persist indefinitely once in the vector database, affecting all subsequent queries and users. Consequently, output filtering attempts cleanup after malicious content is already retrieved and presented to the LLM—patching symptoms, not causes. Ingestion-layer defense prevents permanent contamination before documents enter ChromaDB, Pinecone, or Weaviate.
The practical defense architecture requires three layers: ingestion controls (document sanitization, embedding anomaly detection, provenance tracking), retrieval controls (role-based access, permission-aware retrieval, access monitoring), and generation controls (output filtering, fact-checking, PromptGuard detection). Most teams implement layer 3 only. That’s backwards.
Attack Efficiency and Immediate Action Items
The shocking efficiency: PoisonedRAG research demonstrates that injecting just 5 malicious texts into a knowledge database with millions of documents achieves 90% attack success. Dataset-specific results show 97% ASR on Natural Questions, 99% on HotpotQA, and 91% on MS-MARCO, tested with PaLM 2. The “250 documents” threshold represents broader campaigns, but focused attacks require far fewer. Therefore, a laptop, 3 minutes, and 5 carefully crafted documents—that’s all attackers need.
Developers should act immediately. Implement embedding anomaly detection at ingestion: check pairwise similarity between new documents (flag >0.90), verify similarity to existing collection (flag >0.85), and reject suspicious clusters before insertion. Moreover, sanitize all PDFs and documents for invisible text (font-size: 0), Unicode steganography, and metadata injection—74% of data loaders fail this basic validation. Use Meta’s PromptGuard to detect injection attempts in document content, and enforce role-based access control with permission-aware retrieval for multi-tenant systems.
If you’re using LangChain, LlamaIndex, or building custom RAG systems, audit your ingestion pipeline today. Vector databases (ChromaDB, Pinecone, Weaviate) prioritize performance over security and lack encryption by default. Security is your application-layer responsibility. Treat document ingestion like code deployment: review, test, stage, deploy. Version control your vector database with snapshots before each ingestion batch, enabling rollback when poisoning is detected.
Key Takeaways
- RAG poisoning is active and exploited: Six major incidents in 14 months (DeepSeek backdoor, postmark-mcp, Smithery, CVE-2025-6514, Qwen jailbreak, Microsoft Copilot EchoLeak) demonstrate real production impact, not theoretical risk.
- Attack efficiency is shocking: Just 5 documents in millions achieves 90% success rate. Poisoning 0.04% of a corpus leads to 98.2% attack success and 74.6% system failure. Execution requires less than 3 minutes on a laptop without GPU.
- Ingestion defense is 4x more effective: Output filtering (60-85% attack success) is inadequate. Embedding anomaly detection at ingestion (20% attack success) prevents permanent contamination. Implement similarity checks: greater than 0.90 pairwise, greater than 0.85 to collection.
- Immediate action required: Audit ingestion pipelines, sanitize PDFs/documents for hidden text and metadata, use PromptGuard for injection detection, enforce RBAC with permission-aware retrieval, and version control vector databases with rollback capability.
- Supply chain risk is systemic: 437,000 downloads of vulnerable mcp-remote, 3,000 compromised Smithery apps, and official integration guides featuring vulnerable packages show ecosystem-wide exposure. Vet third-party MCP servers and NPM packages before integration.
