OWASP LLM Top 10 · LLM08

Vector and Embedding Weaknesses

Attacks and leaks in the RAG layer: the embeddings, vector store, and retrieval that ground your model.

What it is

Retrieval-augmented generation adds a new attack surface most security reviews miss: the embedding model, the vector database, and the retrieval logic. Weaknesses here cause cross-context leakage, let attackers steer what gets retrieved, or expose sensitive data encoded in embeddings.

How it shows up in real apps

• Multi-tenant vector stores without strict partitioning, so one tenant's query retrieves another's chunks.
• Embedding inversion and membership inference: recovering sensitive text, or answering 'was X in the index?', straight from vectors.
• Retrieval manipulation: crafting content that ranks for high-value queries (overlaps with poisoning and injection).
• Stale or over-broad indexes returning data that should have been deleted or access-restricted.

A concrete example

How we test for it

We test the retrieval layer directly: partitioning and access control across tenants and users, whether crafted queries can surface out-of-scope chunks, and whether deletion and permissions actually propagate to the index. This is where the model is fine but the plumbing leaks.

How to reduce the risk

• Partition vector stores per tenant or user, and filter retrieval by permission rather than after the fact.
• Control access to embeddings as you would the underlying data. They are derived data, not anonymised.
• Propagate deletions and permission changes into the index.
• Attribute and rank sources so manipulated content cannot silently dominate.

EU AI Act: commonly maps to Art. 10 (data governance) and Art. 15 (robustness). Redproof reports findings as independent testing evidence, not a conformity verdict.