RAG feels safe because it is 'just search.' But a vector store doesn't know who's asking. It returns the most similar chunks — and if chunks from every customer live in the same index, the most similar chunk might belong to someone else.
Vector and Embedding Weaknesses are the RAG-specific flavour of Broken Access Control. A shared vector store returns the nearest chunks regardless of who uploaded them. Without a hard tenant filter, similarity becomes authorization — and similarity does not care about ownership.
What your AI actually built
You built a RAG bot that ingests PDFs, emails, and notes and answers questions about them. The first version used one Pinecone index, one namespace, one embedding model. You uploaded a few test docs and it worked beautifully.
Then a second customer onboarded. Their docs went into the same index. The bot still works — until someone asks a question that happens to match the other customer's content more closely than their own. The retriever returns it. The model cites it. The user reads it.
Embeddings are a similarity function, not an authorization system. Without a hard filter by tenant on every query, 'cosine distance' becomes 'leak the nearest document regardless of who owns it.'
How it gets exploited
A multi-tenant RAG assistant where every customer uploads their own documents into a shared vector index.