Each is a property of how RAG works — not a bug that can be patched away.
🎭
The attack bypasses prompt-level controls
Security teams guard the user prompt. LLM08 enters through documents already in the knowledge base — before any user submits a query.
🔢
Similarity-based retrieval is mathematically exploitable
Vector spaces have 768–1,536 dimensions — enough degrees of freedom to craft embeddings that score high for any target query without containing the actual keywords.
🤝
Retrieved content is implicitly trusted
The LLM receives retrieved documents as authoritative context. It has no mechanism to distinguish a legitimate internal report from a poisoned one — they arrive the same way.
👻
No trace in logs or prompts
Unlike prompt injection, embedding attacks don’t appear in user-submitted text. They operate silently through the retrieval layer, often undetected until a downstream anomaly surfaces.