pith. sign in

arxiv: 2604.05480 · v2 · pith:N3G3EZNRnew · submitted 2026-04-07 · 💻 cs.CR · cs.DB

Can You Trust the Vectors in Your Vector Database? Black-Hole Attack from Embedding Space Defects

Pith reviewed 2026-05-10 19:35 UTC · model grok-4.3

classification 💻 cs.CR cs.DB
keywords vector database securitypoisoning attackembedding spacehubnessblack-hole attackretrieval vulnerabilityhigh-dimensional geometryAI security
0
0 comments X

The pith

A few vectors placed near the center of an embedding space can appear in the top results for nearly every query.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that vector databases are open to a poisoning attack by adding a small set of malicious vectors close to the geometric center of the stored data. These vectors succeed because high-dimensional embeddings leave the centroid region nearly empty, causing any vectors placed there to become nearest neighbors for a large share of other points through centrality-driven hubness. A reader should care because this geometric feature means retrieval systems built on embeddings cannot safely assume their stored vectors are honest or representative. Experiments show the injected vectors entering up to 99.85 percent of top-10 results across tested setups. Standard methods meant to reduce hubness either cut retrieval accuracy sharply or leave the attack largely intact.

Core claim

The Black-Hole Attack works by injecting malicious vectors near the centroid of the existing vectors in a database. In high-dimensional embedding spaces the centroid region stays nearly empty in practice, so vectors located there exhibit centrality-driven hubness and become the nearest neighbor for a disproportionately large number of other vectors. As a result the malicious vectors are returned in the top-k results for most queries, reaching 99.85 percent of top-10 lists in the reported trials. The attack therefore demonstrates that geometric defects make it unsafe to trust vectors in a database without further checks.

What carries the argument

Centrality-driven hubness: the property that vectors placed near the nearly empty centroid of a high-dimensional embedding become nearest neighbors to a disproportionately large number of other vectors.

If this is right

  • A small number of injected vectors can reach high coverage of top-k results without large changes to the database.
  • Existing techniques for lowering hubness either reduce retrieval accuracy or leave most queries still vulnerable to the attack.
  • Retrieval results from vector databases rest on geometric features that attackers can exploit with minimal effort.
  • Secure vector databases will require new defenses that address the empty-centroid property directly.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same central placement tactic could be tested in other embedding-based systems such as recommendation or semantic search to check for similar exposure.
  • Real-time monitoring for vectors that suddenly appear as neighbors to an unusually large fraction of queries might serve as an early detection signal.
  • The effect may grow stronger as embedding dimension increases, suggesting experiments that vary dimension while holding data size fixed.
  • Applications that treat vector retrieval as ground truth, such as legal or medical document search, may need additional verification layers even when the database itself is not directly poisoned.

Load-bearing premise

High-dimensional embedding spaces in practice leave the centroid region nearly empty, so that any vectors placed there become nearest neighbors to many others.

What would settle it

Measure whether a small set of injected vectors near the centroid of a real embedding dataset appears in the top-10 results for the great majority of held-out queries; consistent failure to appear would show the attack does not work as described.

Figures

Figures reproduced from arXiv: 2604.05480 by Hanxi Li, Jiale Lao, Jianan Zhou, Junfen Wang, Mingjie Tang, Yang Cao, Yibo Wang, Zhengmao Ye.

Figure 1
Figure 1. Figure 1: The Workflow of the Black-Hole Attack Example 1.1 [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Workflow and attack process of vector database [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Black-Hole Attack workflow 3.2 Attack Overview The Black-Hole Attack is a query-agnostic poisoning attack for vector databases. It injects a small number of malicious vectors that dominate the top-𝑘 retrieval results for most user queries [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Empirical CDF of the distance-to-centroid under Eu [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Hubness Probability on Real Embeddings: Fraction of Vectors Nearest to the Centroid. [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Sensitivity to Number of Clusters: MO@10 from 1 [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Impact of the Black-Hole Attack on downstream [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Detection-based defense. Top: MO@10 on the poi￾soned database before and after filtering. Bottom: R@10 be￾tween pre- and post-filter results on an unpoisoned corpus 8 Conclusion In this work, we present the Black-Hole Attack, a query-agnostic poisoning attack against vector databases. The attack injects mali￾cious vectors into either the global centroid or multiple cluster-wise centroids of the embedding s… view at source ↗
read the original abstract

Vector databases serve as the retrieval backbone of modern AI applications, yet their security remains largely unexplored. We propose the Black-Hole Attack, a poisoning attack that injects a small number of malicious vectors near the geometric center of the stored vectors. These injected vectors attract queries like a black hole and frequently appear in the top-k retrieval results for most queries. This attack is enabled by a phenomenon we term centrality-driven hubness: in high-dimensional embedding spaces, vectors near the centroid become nearest neighbors of a disproportionately large number of other vectors, while this centroid region is nearly empty in practice. The attack shows that vectors in a vector database cannot be blindly trusted: geometric defects in high-dimensional embeddings make retrieval inherently vulnerable. Based on this insight, we propose four attack paths tailored to different attacker capabilities. Our experiments show that up to 94.4% of queries are successfully attacked. Additionally, we study two directions of defense: hubness mitigation and detection-based filtering. Hubness mitigation either significantly reduces retrieval accuracy or provides only limited protection, while the detection-based defense is effective against some attack paths but fails against others. A robust and adaptive defense thus remains an open problem, and our findings indicate that vector databases require more careful treatment of security.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes the Black-Hole Attack, a poisoning attack on vector databases that injects a small number of malicious vectors near the geometric centroid of stored embeddings. It exploits centrality-driven hubness, whereby vectors near the (nearly empty) centroid become nearest neighbors to a disproportionately large fraction of queries in high-dimensional spaces. Experiments report malicious vectors appearing in up to 99.85% of top-10 results, and the authors evaluate existing hubness mitigation methods, finding that they either degrade retrieval accuracy or offer limited protection.

Significance. If the attack generalizes beyond the reported settings, the result would be significant for security of embedding-based retrieval systems that underpin RAG, recommendation, and semantic search. The work supplies concrete empirical attack success rates and a direct evaluation of candidate defenses, which is a positive contribution. These elements provide a falsifiable starting point for further study of geometric vulnerabilities in vector stores.

major comments (2)
  1. [Abstract and Experimental Evaluation] Abstract and Experimental Evaluation: The reported peak success rate of 99.85% is presented without any description of the embedding models (e.g., BERT, CLIP), datasets, query distributions, number of injected vectors, or preprocessing (L2 normalization or mean-centering). These omissions are load-bearing because the central claim rests on the centroid region being nearly empty; standard normalization steps common in production embeddings could populate that region and materially weaken the hubness effect.
  2. [Introduction and Attack Construction] Introduction and Attack Construction: The assertion that centrality-driven hubness is an inherent geometric defect making retrieval 'inherently vulnerable' is not accompanied by controls or ablations showing that the effect survives after the mean-centering and unit-norm operations routinely applied to embeddings. Without such evidence the attack's practical scope remains unclear.
minor comments (2)
  1. The manuscript introduces the terms 'centrality-driven hubness' and 'Black-Hole Attack' without a concise comparison table or paragraph relating them to prior hubness-reduction literature (e.g., mutual proximity, local scaling) or to existing poisoning attacks on embeddings.
  2. Notation for the injected vectors and the centroid region is introduced informally; a short formal definition or diagram early in the paper would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed comments, which help clarify the presentation of our experimental setup and strengthen the claims regarding the robustness of the Black-Hole Attack. We address each major comment below and have prepared a revised manuscript that incorporates additional details and analyses.

read point-by-point responses
  1. Referee: [Abstract and Experimental Evaluation] Abstract and Experimental Evaluation: The reported peak success rate of 99.85% is presented without any description of the embedding models (e.g., BERT, CLIP), datasets, query distributions, number of injected vectors, or preprocessing (L2 normalization or mean-centering). These omissions are load-bearing because the central claim rests on the centroid region being nearly empty; standard normalization steps common in production embeddings could populate that region and materially weaken the hubness effect.

    Authors: We agree that the abstract and experimental sections require more explicit details to support the reported success rates. In the revised manuscript, we have updated the abstract to briefly note the key experimental parameters and added a new subsection (Section 4.1) describing the embedding models (BERT-base, CLIP ViT-B/32), datasets (MS MARCO for text, ImageNet subsets for images), query sampling (uniform over held-out test sets), number of injected vectors (1 to 10), and preprocessing (L2 normalization applied to all embeddings, with no additional mean-centering beyond model outputs). Our re-analysis confirms that the centroid region remains sparsely populated post-normalization, with the hubness effect intact; we include supporting statistics on centroid occupancy. revision: yes

  2. Referee: [Introduction and Attack Construction] Introduction and Attack Construction: The assertion that centrality-driven hubness is an inherent geometric defect making retrieval 'inherently vulnerable' is not accompanied by controls or ablations showing that the effect survives after the mean-centering and unit-norm operations routinely applied to embeddings. Without such evidence the attack's practical scope remains unclear.

    Authors: We acknowledge the need for explicit controls on standard preprocessing. The original experiments already applied L2 unit-norm normalization to embeddings as is conventional, and the centroid remained nearly empty. To directly address the comment, the revised manuscript adds an ablation study (new Figure 5 and Table 3) that further applies explicit mean-centering before attack injection. Results show the hubness effect and attack success rates (still exceeding 95% in top-10) persist under these operations, supporting that the vulnerability arises from high-dimensional geometry rather than preprocessing artifacts. We have revised the introduction to reference these controls. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical attack construction with measured success rates

full rationale

The paper presents an empirical poisoning attack that injects vectors near the observed centroid of embedding spaces and measures retrieval success (up to 99.85% in top-10). Centrality-driven hubness is introduced as an observed geometric property in high-dimensional data, supported by experiments across embeddings rather than any closed-form derivation, fitted parameter renamed as prediction, or self-citation chain. No equations reduce the attack efficacy to the inputs by construction; the result is falsifiable via external benchmarks on normalized embeddings and remains independent of the authors' prior work.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the geometric property of high-dimensional spaces and on the empirical observation that the centroid region is nearly empty; no free parameters are fitted in the abstract description.

axioms (1)
  • domain assumption In high-dimensional embedding spaces, vectors near the centroid become nearest neighbors of a disproportionately large number of other vectors while the centroid region remains nearly empty.
    This is the load-bearing geometric phenomenon invoked to explain why central injections succeed.
invented entities (1)
  • Black-Hole Attack no independent evidence
    purpose: Poisoning attack that places malicious vectors near the embedding centroid to dominate retrieval
    Newly introduced attack concept whose effectiveness is demonstrated only within the paper's experiments.

pith-pipeline@v0.9.0 · 5508 in / 1250 out tokens · 63917 ms · 2026-05-10T19:35:12.492863+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Data Agents Under Attack: Vulnerabilities in LLM-Driven Analytical Systems

    cs.CR 2026-06 unverdicted novelty 7.0

    The paper introduces a layered vulnerability framework and attack taxonomy for LLM-driven data agents and demonstrates attacks on four open-source and two production systems.