T12-AT-011HIGH
Cross-Collection Attacks
T12 · RAG & Knowledge Base Manipulation →Risk score205
RatingHigh
Procedures10
Severity
Mechanism
Multi-tenant RAG systems maintain separate document collections per user, team, or customer. Cross-collection attacks exploit isolation failures to access documents from other tenants' namespaces. The assumption violated is that collection isolation is enforced at the vector database level — many vector databases (ChromaDB, Qdrant in default configuration) lack robust access controls, and collection names or namespace identifiers may be guessable or enumerable.
Detection
- Monitor cross-collection query attempts; log and alert on queries that reference unauthorized namespaces
- Audit collection access patterns; detect enumeration behavior
- Test isolation boundaries regularly with canary documents in each collection
- Observable signal: queries returning results from collections outside the user's authorized scope
Mitigation
Database-level tenant isolationHIGH
Per-tenant embedding modelsHIGH
Namespace access controlHIGH
Regular isolation testingMEDIUM
Chaining
Cross-collection attacks enable T7 (Output Exfiltration) by accessing data outside the attacker's authorized scope. Combined with T12-AT-001 (Vector Poisoning), cross-collection access enables poisoning of other tenants' knowledge bases.
Framework mapping
Open in the technique browser →OWASP LLMLLM02
MITRE ATLASAML.T0024