Can You Trust the Vectors in Your Vector Database? Black-Hole Attack from Embedding Space Defects
Pith reviewed 2026-05-10 19:35 UTC · model grok-4.3
The pith
A few vectors placed near the center of an embedding space can appear in the top results for nearly every query.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The Black-Hole Attack works by injecting malicious vectors near the centroid of the existing vectors in a database. In high-dimensional embedding spaces the centroid region stays nearly empty in practice, so vectors located there exhibit centrality-driven hubness and become the nearest neighbor for a disproportionately large number of other vectors. As a result the malicious vectors are returned in the top-k results for most queries, reaching 99.85 percent of top-10 lists in the reported trials. The attack therefore demonstrates that geometric defects make it unsafe to trust vectors in a database without further checks.
What carries the argument
Centrality-driven hubness: the property that vectors placed near the nearly empty centroid of a high-dimensional embedding become nearest neighbors to a disproportionately large number of other vectors.
If this is right
- A small number of injected vectors can reach high coverage of top-k results without large changes to the database.
- Existing techniques for lowering hubness either reduce retrieval accuracy or leave most queries still vulnerable to the attack.
- Retrieval results from vector databases rest on geometric features that attackers can exploit with minimal effort.
- Secure vector databases will require new defenses that address the empty-centroid property directly.
Where Pith is reading between the lines
- The same central placement tactic could be tested in other embedding-based systems such as recommendation or semantic search to check for similar exposure.
- Real-time monitoring for vectors that suddenly appear as neighbors to an unusually large fraction of queries might serve as an early detection signal.
- The effect may grow stronger as embedding dimension increases, suggesting experiments that vary dimension while holding data size fixed.
- Applications that treat vector retrieval as ground truth, such as legal or medical document search, may need additional verification layers even when the database itself is not directly poisoned.
Load-bearing premise
High-dimensional embedding spaces in practice leave the centroid region nearly empty, so that any vectors placed there become nearest neighbors to many others.
What would settle it
Measure whether a small set of injected vectors near the centroid of a real embedding dataset appears in the top-10 results for the great majority of held-out queries; consistent failure to appear would show the attack does not work as described.
Figures
read the original abstract
Vector databases serve as the retrieval backbone of modern AI applications, yet their security remains largely unexplored. We propose the Black-Hole Attack, a poisoning attack that injects a small number of malicious vectors near the geometric center of the stored vectors. These injected vectors attract queries like a black hole and frequently appear in the top-k retrieval results for most queries. This attack is enabled by a phenomenon we term centrality-driven hubness: in high-dimensional embedding spaces, vectors near the centroid become nearest neighbors of a disproportionately large number of other vectors, while this centroid region is nearly empty in practice. The attack shows that vectors in a vector database cannot be blindly trusted: geometric defects in high-dimensional embeddings make retrieval inherently vulnerable. Based on this insight, we propose four attack paths tailored to different attacker capabilities. Our experiments show that up to 94.4% of queries are successfully attacked. Additionally, we study two directions of defense: hubness mitigation and detection-based filtering. Hubness mitigation either significantly reduces retrieval accuracy or provides only limited protection, while the detection-based defense is effective against some attack paths but fails against others. A robust and adaptive defense thus remains an open problem, and our findings indicate that vector databases require more careful treatment of security.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript proposes the Black-Hole Attack, a poisoning attack on vector databases that injects a small number of malicious vectors near the geometric centroid of stored embeddings. It exploits centrality-driven hubness, whereby vectors near the (nearly empty) centroid become nearest neighbors to a disproportionately large fraction of queries in high-dimensional spaces. Experiments report malicious vectors appearing in up to 99.85% of top-10 results, and the authors evaluate existing hubness mitigation methods, finding that they either degrade retrieval accuracy or offer limited protection.
Significance. If the attack generalizes beyond the reported settings, the result would be significant for security of embedding-based retrieval systems that underpin RAG, recommendation, and semantic search. The work supplies concrete empirical attack success rates and a direct evaluation of candidate defenses, which is a positive contribution. These elements provide a falsifiable starting point for further study of geometric vulnerabilities in vector stores.
major comments (2)
- [Abstract and Experimental Evaluation] Abstract and Experimental Evaluation: The reported peak success rate of 99.85% is presented without any description of the embedding models (e.g., BERT, CLIP), datasets, query distributions, number of injected vectors, or preprocessing (L2 normalization or mean-centering). These omissions are load-bearing because the central claim rests on the centroid region being nearly empty; standard normalization steps common in production embeddings could populate that region and materially weaken the hubness effect.
- [Introduction and Attack Construction] Introduction and Attack Construction: The assertion that centrality-driven hubness is an inherent geometric defect making retrieval 'inherently vulnerable' is not accompanied by controls or ablations showing that the effect survives after the mean-centering and unit-norm operations routinely applied to embeddings. Without such evidence the attack's practical scope remains unclear.
minor comments (2)
- The manuscript introduces the terms 'centrality-driven hubness' and 'Black-Hole Attack' without a concise comparison table or paragraph relating them to prior hubness-reduction literature (e.g., mutual proximity, local scaling) or to existing poisoning attacks on embeddings.
- Notation for the injected vectors and the centroid region is introduced informally; a short formal definition or diagram early in the paper would improve readability.
Simulated Author's Rebuttal
We thank the referee for the constructive and detailed comments, which help clarify the presentation of our experimental setup and strengthen the claims regarding the robustness of the Black-Hole Attack. We address each major comment below and have prepared a revised manuscript that incorporates additional details and analyses.
read point-by-point responses
-
Referee: [Abstract and Experimental Evaluation] Abstract and Experimental Evaluation: The reported peak success rate of 99.85% is presented without any description of the embedding models (e.g., BERT, CLIP), datasets, query distributions, number of injected vectors, or preprocessing (L2 normalization or mean-centering). These omissions are load-bearing because the central claim rests on the centroid region being nearly empty; standard normalization steps common in production embeddings could populate that region and materially weaken the hubness effect.
Authors: We agree that the abstract and experimental sections require more explicit details to support the reported success rates. In the revised manuscript, we have updated the abstract to briefly note the key experimental parameters and added a new subsection (Section 4.1) describing the embedding models (BERT-base, CLIP ViT-B/32), datasets (MS MARCO for text, ImageNet subsets for images), query sampling (uniform over held-out test sets), number of injected vectors (1 to 10), and preprocessing (L2 normalization applied to all embeddings, with no additional mean-centering beyond model outputs). Our re-analysis confirms that the centroid region remains sparsely populated post-normalization, with the hubness effect intact; we include supporting statistics on centroid occupancy. revision: yes
-
Referee: [Introduction and Attack Construction] Introduction and Attack Construction: The assertion that centrality-driven hubness is an inherent geometric defect making retrieval 'inherently vulnerable' is not accompanied by controls or ablations showing that the effect survives after the mean-centering and unit-norm operations routinely applied to embeddings. Without such evidence the attack's practical scope remains unclear.
Authors: We acknowledge the need for explicit controls on standard preprocessing. The original experiments already applied L2 unit-norm normalization to embeddings as is conventional, and the centroid remained nearly empty. To directly address the comment, the revised manuscript adds an ablation study (new Figure 5 and Table 3) that further applies explicit mean-centering before attack injection. Results show the hubness effect and attack success rates (still exceeding 95% in top-10) persist under these operations, supporting that the vulnerability arises from high-dimensional geometry rather than preprocessing artifacts. We have revised the introduction to reference these controls. revision: yes
Circularity Check
No circularity: empirical attack construction with measured success rates
full rationale
The paper presents an empirical poisoning attack that injects vectors near the observed centroid of embedding spaces and measures retrieval success (up to 99.85% in top-10). Centrality-driven hubness is introduced as an observed geometric property in high-dimensional data, supported by experiments across embeddings rather than any closed-form derivation, fitted parameter renamed as prediction, or self-citation chain. No equations reduce the attack efficacy to the inputs by construction; the result is falsifiable via external benchmarks on normalized embeddings and remains independent of the authors' prior work.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption In high-dimensional embedding spaces, vectors near the centroid become nearest neighbors of a disproportionately large number of other vectors while the centroid region remains nearly empty.
invented entities (1)
-
Black-Hole Attack
no independent evidence
Lean theorems connected to this paper
-
IndisputableMonolith/Foundation/AlexanderDuality.leanalexander_duality_circle_linking unclear?
unclearRelation between the paper passage and the cited Recognition theorem.
Theorem 5.3 ... If the covariance statistics satisfy 2(m1−2√m2 t2)>(1−1/n)(m1+2√m2 t1+2L t1), then ... min_j≠i ∥xi−xj∥2>∥xi−c∥2
-
IndisputableMonolith/Cost/FunctionalEquation.leanwashburn_uniqueness_aczel unclear?
unclearRelation between the paper passage and the cited Recognition theorem.
centrality-driven hubness: vectors near the centroid become nearest neighbors of a disproportionately large number of other vectors
What do these tags mean?
- matches
- The paper's claim is directly supported by a theorem in the formal canon.
- supports
- The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
- extends
- The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
- uses
- The paper appears to rely on the theorem as machinery.
- contradicts
- The paper's claim conflicts with a theorem or certificate in the canon.
- unclear
- Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.
Forward citations
Cited by 1 Pith paper
-
Data Agents Under Attack: Vulnerabilities in LLM-Driven Analytical Systems
The paper introduces a layered vulnerability framework and attack taxonomy for LLM-driven data agents and demonstrates attacks on four open-source and two production systems.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.