Retrieval Augmented Generation is now standard architecture for enterprise AI applications, but no OWASP cheat sheet covers its unique attack surface. AISVS addresses RAG in C08 (Memory, Embeddings and Vector Database) but there is no practitioner-level guidance on how to defend RAG pipelines in production.
This cheat sheet would cover:
- Document poisoning (malicious content injected into the retrieval corpus)
- Embedding manipulation (adversarial inputs that distort similarity search)
- Context window attacks (retrieved chunks that override system prompts)
- Access control inheritance (ensuring document-level permissions carry through to vector chunks)
- Source attribution and provenance (verifying where retrieved content came from)
- Chunk isolation (preventing cross-tenant or cross-classification data leakage in shared vector stores)
- Index integrity (detecting tampering with the vector index itself)
- Query injection via retrieval (user queries crafted to surface sensitive documents)
- Do's and Don'ts
References: OWASP AISVS C08, OWASP Top 10 for LLM Applications, OWASP AI Exchange.
Happy to contribute to or co-author the draft.
Thanks,
Raza
Retrieval Augmented Generation is now standard architecture for enterprise AI applications, but no OWASP cheat sheet covers its unique attack surface. AISVS addresses RAG in C08 (Memory, Embeddings and Vector Database) but there is no practitioner-level guidance on how to defend RAG pipelines in production.
This cheat sheet would cover:
References: OWASP AISVS C08, OWASP Top 10 for LLM Applications, OWASP AI Exchange.
Happy to contribute to or co-author the draft.
Thanks,
Raza