HubScan: Detecting Hubness Poisoning in Retrieval-Augmented Generation Systems

Researchers Idan Habler, Vineeth Sai Narajala, Stav Koren, Amy Chang, and Tiffany Saade introduced HubScan, an open-source security scanner designed to detect hubness poisoning in Retrieval-Augmented Generation (RAG) systems, in a paper submitted to arXiv on February 25, 2026, addressing a critical security vulnerability where certain items appear disproportionately in search results, potentially allowing malicious actors to introduce harmful content or manipulate system outputs. The research highlights that while RAG systems are essential to contemporary AI applications, allowing large language models to obtain external knowledge through vector similarity search, they face a significant security flaw known as 'hubness' - items that frequently appear in top-k retrieval results for a disproportionately high number of varied queries. This vulnerability can be exploited to introduce harmful content, alter search rankings, bypass content filtering, and decrease system performance. HubScan employs a multi-detector architecture that integrates several innovative approaches to identify malicious hubs, including robust statistical hubness detection using median/MAD-based z-scores, cluster spread analysis to assess cross-cluster retrieval patterns, stability testing under query perturbations, and domain-aware and modality-aware detection for category-specific and cross-modal attacks. The solution is versatile, accommodating multiple vector databases such as FAISS, Pinecone, Qdrant, and Weaviate, while offering various retrieval techniques including vector similarity, hybrid search, and lexical matching with reranking capabilities. This comprehensive approach allows for detection of sophisticated attacks that might otherwise remain hidden in RAG systems. The researchers evaluated HubScan on several adversarial hubness benchmarks including Food-101, MS-COCO, and FiQA, constructed using state-of-the-art gradient-optimized and centroid-based hub generation methods. Results demonstrated impressive performance, with HubScan achieving 90% recall at a 0.2% alert budget and 100% recall at 0.4%, with adversarial hubs ranking above the 99.8th percentile. Notably, domain-scoped scanning recovered 100% of targeted attacks that evade global detection. In production validation using 1 million real web documents from MS MARCO, the tool showed significant score separation between clean documents and adversarial content, providing a practical, extensible framework for detecting hubness threats in production RAG systems.