Vector and Embedding Weaknesses
detect, understand, remediate

Source corpus and ingestion pipeline

The documents that flow into the index: knowledge-base articles, support tickets, internal wiki pages, code, customer records, contracts, emails, chat history, SharePoint and Google Drive shares, S3 buckets, customer-uploaded files, and crawled web pages. The ingestion job reads each document, splits it into chunks, calls the embedding model, and writes the vectors plus the source text and metadata into the vector store. Each stage is a control point: who is allowed to push into the queue, what document classification the ingestion enforces, what per-document ACL it carries through, and whether ingestion logs are auditable.

Embedding model and chunking policy

The model that turns text into vectors (OpenAI text-embedding-3, Cohere embed, Voyage AI, Anthropic via Claude, open-weights bge, gte, e5, mxbai, jina, Nomic, all-MiniLM). The chunking strategy decides how a document is split (fixed-size, recursive, semantic, parent-child, late-chunking). Both decisions affect what an inversion attack can recover, what poisoning needs, and what the retrieval ACL has to express. A change of embedding model or chunking is a release event with security consequences, not a routine performance tuning.

Vector store and metadata index

The database that holds the vectors plus the chunk text plus the metadata. The metadata typically carries source identifier, tenant identifier, document classification, owner, ingestion timestamp, source-system pointer, and the per-document ACL needed at retrieval time. The store enforces (or fails to enforce) per-tenant isolation, encryption at rest, encryption in transit, network access control, administrative access control, audit logging, and backup integrity. Many production failures are vector store admin-plane mistakes rather than retrieval-call mistakes.

Retrieval call and the authorisation context

The retrieval call assembles the question, embeds it, applies metadata filters (tenant identifier, document classification, owner), retrieves top-k nearest vectors, and returns the chunks to the orchestration layer. The authorisation context (who is asking, what tenant, what role, what document scope) has to reach the metadata filter as a non-bypassable predicate. A retrieval call that runs as a service identity with no per-request user predicate is the most common LLM08 failure pattern.

Reranker, fusion, and post-retrieval pipeline

Many production pipelines retrieve a wider candidate set, then run a cross-encoder reranker (Cohere Rerank, BGE Reranker, custom cross-encoder) over the candidates, then fuse with a keyword retrieval result (hybrid BM25 + vector), then deduplicate, then optionally summarise. Each stage can leak content that the original retrieval would have hidden, can drop ACL metadata, or can introduce a new ranking surface an attacker can game.

Model context assembly and the system prompt boundary

The orchestration layer assembles the retrieved chunks into the model prompt: which chunks, in which order, with what separator, with what citation rendering, and with what reminder of the system prompt and the tool permissions. A weak prompt boundary lets retrieved content override the system prompt; a strong boundary keeps the retrieved content quoted and labelled. The assembly is part of the LLM08 surface even though it executes between retrieval and the model.

Observability, audit log, and replay

The retrieval call carries who asked, what was asked, what the embedded query vector looked like, which document IDs were returned, what reranker scores were applied, what the final prompt looked like, and what the model returned. The log is the evidence the auditor reads to reconstruct a cross-tenant disclosure incident, a poisoning incident, or an inversion attempt. Without the log there is no incident response and no audit defence.

Index lifecycle and deletion semantics

Index lifecycle covers re-embedding (when the source document changes or the embedding model changes), partial deletion (when a tenant offboards or a record is purged for GDPR Article 17 right to erasure), reindex (when the schema or chunking changes), backup, and disaster recovery. A store that silently retains vectors after a delete-by-document call leaves an inversion footprint long after the source text is gone. A backup that survives the deletion is the same finding under a different name.

Treating the vector store as cache rather than a privileged data store

The team built the retrieval feature against a vector store with default credentials, a permissive admin role, weak network policy, no audit logging, and no encryption-at-rest review. The store inherited the security posture of an internal cache, but the records inside are derived from privileged source documents and the chunk text recovers the underlying content. The mismatch between perceived sensitivity and actual sensitivity drives the rest of the class.

Per-document ACL implemented at ingestion only, not at retrieval

The ingestion job copies the ACL from the source system into the metadata at write time. The retrieval call assumes the ingestion did the work and does not re-check on every read. ACL changes on the source after ingestion (revocation, reclassification, ownership transfer) do not propagate. A user whose access was revoked yesterday still retrieves the document today.

Single service identity for all retrieval calls instead of propagated user context

The application calls retrieval with a single service token. The retrieval layer cannot enforce per-user ACL because the per-user context is not present at retrieval. The platform team writes ACL logic in the application instead, where it is harder to audit and easier to skip. The retrieval becomes the platform-equivalent of running every database query as the application superuser.

Storing raw chunk text alongside vectors without redaction policy

The chunk text sits next to the vector and the metadata in the vector store. The team treats the chunk as needed for citation rendering but never audits which classification of content reaches the store. PII, secrets, legal-hold material, classified-document content, and confidential customer data all land in the same store with the same access control.

No audit log for retrieval, ranker, or context-assembly stages

The team logs the model call but not the retrieval, the rerank, or the context assembly. An incident reviewer can see the model output but cannot say which documents the model read, which user the retrieval served, or which ranker pushed which chunk to the top. The class becomes invisible to incident response and audit.

Embedding model swap, schema change, or chunking change without index rebuild

The team upgraded the embedding model, added a new ACL field to the metadata, or changed chunking strategy. The index was partially migrated. Old rows and new rows coexist. The retrieval call assumes the new schema. The old rows leak past the new ACL because the new predicate does not match the old field. The release went out without a rebuild plan.

Automated detection

• SecPortal code scanning runs Semgrep SAST and dependency analysis across connected GitHub, GitLab, and Bitbucket repositories. Findings surface at retrieval call sites that build the metadata filter without the authenticated user predicate, ingestion pipelines that write into the vector store without an ACL field, embedding-model wrappers that ship vectors out to analytics or logging sinks, and prompt-assembly code that drops the source attribution before the model call.
• External scanning enumerates exposed vector-store admin endpoints, public dashboards on hosted vector databases, leaked embedding API keys, accidentally public buckets that hold chunk text, and debug routes that disclose the embedding model name or vector store version. A publicly visible retrieval gap lands as a finding before an external researcher writes the writeup.
• Authenticated scanning drives the deployed AI feature with cross-tenant probes: requests under one user that ask questions whose answers should only exist in another tenant's documents, requests that target documents the user lost access to yesterday, requests crafted to maximise similarity against another tenant's known content, and requests that exercise the reranker and hybrid retrieval legs independently to detect ACL drift between stages.
• Continuous monitoring re-runs the retrieval-side ACL probe on the configured cadence. An embedding model swap, a metadata schema change, a chunking change, a new ingestion source, a new reranker, or a deployment manifest change that re-opens a previously closed retrieval ACL finding surfaces against the baseline rather than waiting for the next audit cycle.
• Bulk finding import accepts CSV intake from dedicated AI security scanners, vector-store posture tools, embedding inversion testers, and AI-aware DAST tools so external scanner results land on the same engagement record as the SecPortal probes with one CVSS 3.1 calibration applied across the LLM08 finding chain.

Manual testing

• Inventory the retrieval feature: the embedding model and version, the chunking policy, the vector store and tier, the metadata schema, the ACL field, the ingestion sources, the reranker (if any), the hybrid retrieval (if any), the post-processing pipeline, the prompt assembly, and the audit log shape. Record source identifier, classification, owner, and per-document ACL field per source.
• Walk the retrieval call and confirm a per-user authorisation predicate is applied as a non-bypassable metadata filter on every retrieval, not at ingestion only. Construct two test users in two tenants with overlapping topic coverage and confirm neither retrieves the other's documents under matched queries.
• Revoke a user's access to a known document in the source system. Confirm the next retrieval from the same user no longer returns the document, on retrieval, on the reranker leg, on the hybrid BM25 leg, and through any cached embedding path.
• Pull a small sample of vectors from the production vector store. Run a published embedding-inversion approach against the sample (Vec2Text or similar). If recoverable text is identifiable, the vectors carry confidentiality the access control did not enforce.
• Craft a poisoning candidate: a document with embedding-similarity-maximising text against expected queries and a chosen payload (instruction smuggling, factual override, citation injection). Push the candidate through every ingestion path the team supports (manual upload, crawler, webhook, partner sync). Confirm whether the integrity gate blocks the candidate or whether the candidate reaches production retrieval.
• Delete a known document through the official deletion path and verify the vector store no longer returns the chunk text and no longer returns a vector close to the deleted content. Repeat the check against the backup, the analytics pipeline, the feature store cache, and any embedding mirror the team operates.
• Run a denial-of-service probe: submit queries with long inputs, with top-k well beyond the documented ceiling, with token-stuffing patterns, and with rerank-expensive payloads. Confirm the per-tenant cost ceiling, the rate limit, and the back-pressure controls hold before serving capacity is exhausted.

Finding with the retrieval surface and the failed predicate

The finding captures the retrieval surface (embedding model and version, vector store identity, metadata schema, ACL field, reranker if present), the failed predicate (no per-user ACL, propagated service identity, missing reranker filter, deletion left a vector, vector mirrored to analytics, etc.), the observed disclosure or poisoning evidence, the affected user and tenant scope, and the deployment context. AppSec, product security, AI platform, data, vendor risk, and GRC read the same record the engineering team uses to ship the fix.

Code scanning across retrieval, ingestion, and prompt assembly

Code scanning runs Semgrep SAST and dependency analysis against connected GitHub, GitLab, and Bitbucket repositories. Findings surface at retrieval call sites missing the user predicate, ingestion pipelines writing without an ACL field, embedding wrappers shipping vectors to analytics, prompt assembly dropping source attribution, and vector-store client configurations that bypass the metadata filter.

External scanning across exposed AI infrastructure

External scanning enumerates exposed vector-store admin endpoints, public dashboards on hosted vector databases, leaked embedding API keys, accidentally public buckets that hold chunk text, and debug routes that disclose the embedding model name or vector store version. A publicly visible retrieval gap lands as a finding before an external researcher writes the writeup.

Authenticated scanning against cross-tenant retrieval

Authenticated scanning drives the deployed AI feature with cross-tenant probes under a real session: requests under one user that ask questions whose answers should only exist in another tenant's documents, requests that target documents the user lost access to, requests that exercise the reranker and hybrid retrieval legs independently to detect ACL drift between stages. Each finding ties the response to the retrieval surface that allowed the call.

Continuous monitoring against retrieval drift

Continuous monitoring re-runs the cross-tenant retrieval probe and the deletion-correctness check on the configured cadence. An embedding model swap, a metadata schema change, a chunking change, a new ingestion source, a new reranker, or a deployment manifest change that re-opens a previously closed retrieval ACL finding surfaces against the baseline rather than waiting for the next audit.

Bulk import for vector-store and AI security scanners

Bulk finding import accepts CSV intake from dedicated AI security scanners, vector-store posture tools, embedding inversion testers, and AI-aware DAST output. External scanner results land on the same engagement record as the SecPortal probes with one CVSS 3.1 calibration applied across the LLM08 chain.

Document management for the canonical retrieval-feature inventory

Document management stores the retrieval-feature inventory, the per-feature ingestion source list, the metadata schema and ACL field documentation, the embedding model and chunking policy record, the reranker and hybrid retrieval configuration, the prompt assembly contract, the deletion-correctness procedure, and the per-framework control mapping. Each artefact attaches to the finding so the auditor reads the operating record the engineering programme runs against.

Retest after the remediation ships

Once the fix deploys (the retrieval call carries the user predicate, the reranker honours the same filter, the embedding mirror is removed, the deletion path purges vectors and cache and backup, the rate limit enforces per-tenant retrieval ceilings, or the integrity gate blocks the unreviewed source), a targeted retest replays the cross-tenant probe, the deletion check, the inversion check, and the cost probe, and records the post-fix result on the finding. The finding closes against the evidence rather than against a developer assertion.

AI-assisted writeups within verified scope

AI reports generate the writeup, the executive summary, and the developer-facing reproduction steps from the finding record. The narrative stays within the verified evidence on the finding (the retrieval surface, the failed predicate, the disclosure or poisoning evidence, the affected scope, the deployment context, the regulatory mapping) and does not invent ACL services, vector-store features, or runtime tooling the product does not have.

Compliance tracking pairs the fix to control evidence

Compliance tracking maps LLM08 findings to the controls that read against them: OWASP LLM Top 10 LLM08, OWASP AISVS Data and Knowledge Base chapters, NIST AI RMF Map and Manage, ISO/IEC 42001 AI lifecycle and data management, EU AI Act Article 10 data governance and Article 15 cybersecurity, GDPR Article 5 purpose limitation and Article 32 security of processing, NIST SSDF for AI extensions, ISO 27001 Annex A 5.34 privacy and protection of PII and A.8.2 to A.8.5 access control, and SOC 2 CC6.1 logical access.