Which LLM-security vendors cover LLM08 Vector and Embedding Weaknesses? (2026)
LLM08 Vector and Embedding Weaknesses — Flaws in RAG stores let attackers poison, extract, or infer data. As of , 2 of 21 vendors llmthreat tracks score Covered for this risk, 7 more score Partial. Scores are llmthreat's editorial read of public documentation, not a third-party audit.
- 2/21
- Covered
- 7
- Partial
- 8
- Not covered
- 4
- Unverified
How it happens
RAG apps embed documents into a vector DB and pull the top-k nearest matches into the prompt by cosine/dot-product similarity. Attackers exploit this three ways: indirect prompt injection, where hidden text (white-on-white font, zero-width unicode, PDF metadata) is planted in a resume or web page so the retriever pulls a malicious instruction straight into context — the documented case is a resume-screening bot tricked into recommending an unqualified candidate. Cross-tenant leakage happens in shared vector stores without per-namespace isolation, where a query from Tenant A returns embeddings belonging to Tenant B. Embedding inversion is the third path: if raw vectors leak (via API response or a compromised DB), tools like vec2text (Morris et al., 2023) reconstruct a large share of the original source text from the vector alone, which breaks the assumption that embeddings are a safe, anonymized representation.
How to test for it
Plant adversarial documents (hidden text, invisible unicode, injected PDF metadata) in your corpus and confirm they get retrieved and change the output — the standard indirect-injection test for RAG. Query the retriever with different tenant/API credentials and verify zero cross-namespace hits (test the actual enforcement mechanism: Pinecone namespaces, Weaviate multi-tenancy classes, pgvector row-level security). Run vec2text or an equivalent embedding-inversion PoC against your own stored vectors to measure how much source text is recoverable.
How to mitigate it
Enforce tenant isolation inside the vector store itself (namespace/row-level security), not just at the application layer. Sanitize documents before embedding — strip hidden text, HTML comments, zero-width characters. Treat every retrieved chunk as untrusted input and run it through the same injection defenses you use for user input (LLM01). Don't expose raw embedding vectors through public APIs. Limits: sanitizers only catch known encoding tricks, and retrofitting isolation into an existing shared vector store is a real re-architecture, not a config flag.
Which vendors cover LLM08 Vector and Embedding Weaknesses?
| Vendor | Category | Coverage | How it's addressed | Source |
|---|---|---|---|---|
| Lakera | Guardrails / LLM Firewall | Covered | Guard protects RAG/vector data at runtime (Red testing scope limited). | https://www.lakera.ai/blog/owasp-top-10-for-llm-applications-lakera-alignment |
| TrojAI | AI Red Teaming | Covered | TrojAI Defend's product page explicitly documents vector/embedding weakness protection: 'The system stops weaknesses in how vectors and embeddings are generated, stored, or retrieved from being exploited to inject harmful content, manipulate models, or access sensitive data.' | https://troj.ai/products/defend |
| Noma Security | AI-SPM / Runtime Protection | Partial | ARM analyzes agent knowledge sources/embeddings for risky combinations; specific embedding-inversion control unverified. | https://noma.security/blog/owasp-top-10-agentic-risks-with-noma/ |
| Straiker | Agentic AI Security | Partial | Defend AI's multi-layer telemetry collection explicitly includes monitoring of RAG content and vector components as part of its runtime coverage, though not a dedicated embedding-security control. | https://www.straiker.ai/products/defend-ai |
| Enkrypt AI | Guardrails / LLM Firewall | Partial | AI Data Risk Audit examines embeddings; specific embedding-inversion defense not detailed. | https://www.enkryptai.com/ |
| Giskard | AI Red Teaming | Partial | RAG evaluation toolkit (RAGET) tests retrieval quality; embedding-security weaknesses not specifically addressed. | https://docs.giskard.ai/ |
| HiddenLayer | AI-SPM / Runtime Protection | Partial | AIDR discovers RAG corpora and checks data pipelines for poisoning/PII, and platform documentation states AI supply-chain coverage includes vector databases; no dedicated embedding-inversion/embedding-security control detailed. | https://www.hiddenlayer.com/insight/integrating-ai-security-into-the-sdlc |
| Pangea | Guardrails / LLM Firewall | Partial | AI Guard filters data flowing to/from RAG; vendor claims 8/10 OWASP coverage. | https://www.prnewswire.com/news-releases/pangea-unveils-suite-of-ai-security-guardrails-to-address-llm-software-risks-and-accelerate-ai-development-debuts-10-000-jailbreak-competition-302379049.html |
| Prompt Security | Guardrails / LLM Firewall | Partial | Redacts sensitive data before it reaches vector databases. | https://prompt.security/solutions/homegrown-genai-apps |
8 vendors score Not covered and 4 score Unverified for LLM08 — see the full coverage matrix.
Frequently asked questions
Which vendors cover LLM08 Vector and Embedding Weaknesses?
2 of the 21 vendors llmthreat tracks score Covered for LLM08 Vector and Embedding Weaknesses: Lakera, TrojAI. 7 more score Partial, as of 2026-07-13.
What is LLM08 Vector and Embedding Weaknesses?
Flaws in RAG stores let attackers poison, extract, or infer data.