Documentation Index
Fetch the complete documentation index at: https://hydroxai.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
What is Cross-Context Retrieval?
Cross-Context Retrieval is an attack targeting Retrieval-Augmented Generation (RAG) systems where an attacker crafts queries that cause the retrieval component to return documents or data from contexts, tenants, or data sources that the user should not have access to. This exploits the gap between the broad retrieval capabilities of embedding-based search and the narrower authorization boundaries of the application.Why It Matters
RAG is the dominant architecture for grounding AI systems in enterprise data, making this attack highly relevant:- Data isolation failure — Multi-tenant RAG systems may leak data between organizations.
- Confidentiality breach — Users can access documents above their clearance level.
- Embedding space exploitation — Semantic similarity search can surface related but unauthorized documents.
- Hard to audit — Unlike SQL injection, cross-context retrieval exploits semantic relationships that are difficult to define and monitor.
- Scale of impact — RAG systems often index vast amounts of organizational data, amplifying the blast radius.
How the Attack Works
Semantic Boundary Crossing
Crafting queries that are semantically similar to unauthorized content:- Using domain-specific terminology to attract documents from restricted collections
- Asking about topics that are semantically adjacent to confidential information
- Using vague queries that maximize recall across multiple contexts
Metadata Exploitation
Manipulating or ignoring retrieval filters:- Exploiting weak or missing tenant filters in vector database queries
- Crafting queries that cause filter bypass in the retrieval pipeline
- Targeting shared indexes where tenant isolation happens at the application layer
Context Window Pollution
Forcing the retrieval of unauthorized documents into the AI’s context:- Submitting queries that preferentially rank unauthorized documents higher
- Exploiting the retrieval system’s re-ranking to surface restricted content
- Using prompt injection within retrieved documents to alter AI behavior
Example Scenarios
| Scenario | Risk |
|---|---|
| Employee retrieves executive compensation data through a RAG-powered HR assistant | Confidentiality breach |
| One customer’s data appears in another customer’s AI responses in a SaaS product | Multi-tenant data leak |
| AI retrieves documents from a restricted legal collection through semantic similarity | Privilege violation |
| Prompt injection in a retrieved document causes the AI to reveal other retrieved documents | Cascading data leak |
Mitigation Strategies
- Retrieval-level access control — Apply user permissions at the vector database query level, not just post-retrieval
- Tenant isolation — Use separate vector collections or strict partition keys per tenant
- Document-level security — Tag every document with access control metadata and filter before retrieval
- Result validation — Verify authorization for each retrieved document before including it in the AI context
- Semantic guardrails — Monitor for queries that consistently retrieve documents outside the user’s expected domain
- Testing at scale — Use Know Your AI to test cross-context retrieval with diverse multi-tenant scenarios