AI Threat Alert
ATLAS Landscape
AML.T0070
RAG Poisoning
Adversaries may inject malicious content into data indexed by a retrieval augmented generation (RAG) system to contaminate a future thread through RAG-based search results. This may be accomplished by placing manipulated documents in a location the RAG indexes (see [Gather RAG-Indexed Targets](/techniques/AML.T0064)). The content may be targeted such that it would always surface as a search result for a specific user query. The adversary's content may include false or misleading information. It may also include prompt injections with malicious instructions, or false RAG entries.
12 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-1793 | llama_index: SQL injection in vector store integrations | llama-index | 9.8 |
| CRITICAL | CVE-2025-6853 | Langchain-Chatchat: path traversal in KB upload | langchain-chatchat | 9.8 |
| HIGH | CVE-2026-41277 | Flowise: mass assignment enables cross-workspace IDOR | flowise | 8.8 |
| HIGH | CVE-2026-44554 | open-webui: RAG poisoning via unauthorized KB overwrite | open-webui | 8.1 |
| HIGH | CVE-2026-28788 | Open WebUI: BOLA enables RAG poisoning via file overwrite | open-webui | 7.1 |
| MEDIUM | CVE-2025-6211 | llama-index: DocugamiReader MD5 hash collision drops chunks | llama-index-readers-docugami | 6.5 |
| MEDIUM | CVE-2021-28796 | Qiita::Markdown: XSS in transformer components | 6.1 | |
| MEDIUM | CVE-2026-40112 | PraisonAI: XSS via no-op HTML sanitizer in agent output | praisonai | 5.4 |
| LOW | CVE-2026-25211 | llama-stack: security flaw enables exploitation | 3.2 | |
| LOW | CVE-2026-7846 | Langchain-Chatchat: TOCTOU race allows silent file overwrite | langchain-chatchat | 2.6 |
| UNKNOWN | CVE-2025-21604 | AIDeepin: MD5 collision enables RAG knowledge base poisoning | — | |
| LOW | CVE-2025-65858 | — |