Skip to content

Scenario 07: RAG Pipeline Poisoning

Difficulty: Intermediate Time: ~30 minutes Prerequisites: Complete Scenario 04 Target: ailab-ds:8080 (Weaviate), ailab-dev:11434 (Ollama)

Background

Retrieval Augmented Generation (RAG) pipelines combine a vector database (retrieval) with an LLM (generation) to produce contextually grounded responses. If an attacker can write to the vector store, they can inject malicious documents that will be retrieved and presented as authoritative answers. This is analogous to SEO poisoning but for enterprise knowledge bases.

Objective

Inject a poisoned document into a vector database and demonstrate that an LLM retrieves and cites it as a legitimate source.

Commands

# First, enumerate the Weaviate collections to understand the schema
aipostex vectordb --type weaviate --target 172.16.50.30:8080 enum

# Explore the Ollama instance to see available models
aipostex ollama --target 172.16.50.10:11434 enum

Expected Finding

Weaviate (ailab-ds:8080): - Collections with open write access - No authentication required for object creation - Existing documents that reveal the RAG schema and naming conventions

Ollama (ailab-dev:11434): - Available models that could be used for generation - Model details revealing context window sizes and capabilities

The attack surface is: 1. Attacker reads existing documents to learn the schema 2. Attacker injects a crafted document with misleading content 3. When a user queries the RAG system, the poisoned document is retrieved 4. The LLM presents the poisoned content as fact

Example finding:

{
  "finding_type": "vulnerability",
  "service": "weaviate",
  "detail": "Write access to vector store - RAG poisoning possible",
  "collections_writable": 2
}

Scoring objective: Weaviate collections are confirmed writable without authentication.

Real-World Impact

RAG poisoning is one of the most impactful AI-specific attacks. Enterprise RAG systems power internal chatbots, customer support, and decision-making tools. A poisoned vector store can spread disinformation through every system that queries it — from customer-facing chatbots giving wrong medical/financial advice to internal tools providing incorrect security guidance.

Follow-On

  • Scenario 10: Combine RAG poisoning with model tampering
  • Scenario 12: Use poisoning as part of a multi-vector campaign