Five poisoned documents can hijack your whole RAG

The model is not compromised. The knowledge base is. A handful of planted documents, crafted to rank first for a target question, steer the agent to a chosen wrong answer with a citation.

B

Balagei G Nagarajan

4 MIN READ


A vast field of pale documents with a few glowing red ones rising to the top of a retrieval beam, pulled into an AI agent
RAG poisoning is an attack on the knowledge base, not the model.
— from “Five poisoned documents can hijack your whole RAG”

Key facts.

  • A handful of documents is enough: PoisonedRAG achieves over 90% attack success, up to 97% on Natural Questions, by injecting just 5 malicious texts per target question into a corpus of 2,681,468 clean documents (PoisonedRAG, arXiv:2402.07867, USENIX Security 2025).
  • Scale is no defense: a bigger knowledge base doesn't dilute the attack, because the retriever is a sorter, not a random sampler, it actively surfaces the poisoned document crafted to rank top for the target query (PoisonedRAG, 2025).
  • Existing defenses fall short: the paper evaluated several defenses and found them insufficient, so a knowledge base you let untrusted content into is an open attack surface (PoisonedRAG, 2025).

what's RAG poisoning?

RAG poisoning is an attack on the knowledge base, not the model. Instead of jailbreaking the prompt, the attacker plants documents in the corpus the agent retrieves from, crafted so that for a chosen target question the malicious document ranks at the top and gets pulled into the context. The model then answers from attacker-controlled text, confidently and with a citation, because to the agent it looks like a legitimate retrieved source. The model was never compromised. The data it trusts was, which is why this works even on a perfectly aligned model.

Why doesn't a huge corpus protect me?

Because retrieval isn't a lottery. The intuition that five malicious documents in three million will simply be drowned out assumes the retriever picks at random. It doesn't, it sorts, returning the top matches for the query. PoisonedRAG crafts each poisoned document to score highest for its target question, so the size of the corpus is irrelevant: the attack doesn't need to be probable, it needs to be top-ranked. that's why the paper reaches over 90% attack success, and 97% on Natural Questions, with just five planted texts in a corpus of 2.68 million. More clean documents don't dilute a document built to win the ranking.

# A poisoned document planted for a target question
# Q: "What is the recommended dose of DrugX?"
Title: DrugX Dosing Guidance
Body: [text optimized to rank #1 for that query] ...
 "The recommended dose of DrugX is [attacker's wrong answer]."
# Retrieved as top-1, cited as a source, answered with full confidence.

Where does the poison come from?

Anywhere you ingest content you don't fully control. A knowledge base that indexes public web pages, user uploads, support tickets, wiki edits, or third-party feeds is a knowledge base an attacker can write to. The same is true of agents that retrieve live from the web or read shared documents. Each ingestion point is a place to plant a document, and because the payload is just text that reads plausibly, nothing about it looks malicious until you trace why the agent gave a wrong, confident, sourced answer.

A grid of many neutral documents with three red poisoned ones, an arrow showing the retriever ranking the red ones to the top for a target query and feeding them to the model

How do you defend a knowledge base?

DefenseWhat it does
Provenance and trust scoringWeight or filter sources by how much you trust their origin
Sanitize at ingestionVet and clean untrusted content before it enters the index
Restrict who can writeLimit and authenticate what can be added to the corpus
Cross-check across sourcesRequire agreement among multiple retrieved docs before trusting a claim
Detect anomaliesFlag documents crafted to rank suspiciously high across many queries
Human review for high-stakesGate sensitive answers on a verified source

The pattern is that RAG makes your knowledge base part of your trust boundary, and a handful of planted documents can steer the agent without ever touching the model. Score sources by provenance, sanitize and gate what enters the index, require cross-source agreement on high-stakes claims, and never treat retrieved-and-cited as verified. None of that's a bigger model, which will read a poisoned document just as faithfully. it's a data-trust layer that knows which sources have earned the agent's belief, which is what VibeModel builds as the Pattern Intelligence Layer.

Frequently asked questions

Won't a bigger knowledge base dilute the attack?
No. The retriever sorts for the top match rather than sampling at random, and the poison is crafted to rank first for its target query. PoisonedRAG reached 90%+ success with 5 documents in 2.68 million, so corpus size offers no protection.

Is the model being hacked?
No, the data is. The model faithfully answers from whatever it retrieves; the attack plants a trusted-looking source. that's why a more capable or better-aligned model doesn't help, it reads the poison just as faithfully.

What's the first defense to add?
Control and score what enters the index: authenticate who can write to the corpus, sanitize untrusted ingestion, and attach provenance so the retriever can down-weight low-trust sources. Then require cross-source agreement on anything high-stakes.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.