Malicious documents crafted so their vectors outrank legitimate ones for target queries — controlling what the AI is told to read.

Reconstructing source text from stored vector representations — reading private documents from a vector store without direct document access.

Embeddings from restricted users bleeding into responses for other users in shared vector databases — bypassing organizational access controls.

Injecting hidden instructions into documents before embedding — making the AI follow attacker-supplied directives whenever that document is retrieved.