Retrieval-augmented generation systems are vulnerable to document injection attacks.
We demonstrate practical attacks against RAG systems where an attacker injects documents into the knowledge base that contain hidden instructions. When these documents are retrieved during inference, the injected instructions override the system prompt. We evaluate this attack against 6 enterprise RAG deployments and propose detection mechanisms.