This work addresses a critical vulnerability in semantic caching for large language models (LLMs), where the use of semantic embeddings as cache keys introduces an inherent trade-off between locality and collision resistance due to fuzzy hashing, thereby compromising integrity. The study presents the first systematic analysis of this vulnerability and introduces CacheAttack, the first black-box collision attack framework tailored for semantic caches. CacheAttack integrates semantic embedding modeling, black-box adversarial query generation, and cross-model transfer techniques to achieve efficient cache hijacking. Experimental results demonstrate that CacheAttack achieves an 86% hit rate in response hijacking tasks, successfully inducing LLM agents to perform malicious actions. The practical severity of the attack is further validated in a financial agent scenario, highlighting real-world security implications.

Semantic caching has emerged as a pivotal technique for scaling LLM applications, widely adopted by major providers including AWS and Microsoft. By utilizing semantic embedding vectors as cache keys, this mechanism effectively minimizes latency and redundant computation for semantically similar queries. In this work, we conceptualize semantic cache keys as a form of fuzzy hashes. We demonstrate that the locality required to maximize cache hit rates fundamentally conflicts with the cryptographic avalanche effect necessary for collision resistance. Our conceptual analysis formalizes this inherent trade-off between performance (locality) and security (collision resilience), revealing that semantic caching is naturally vulnerable to key collision attacks. While prior research has focused on side-channel and privacy risks, we present the first systematic study of integrity risks arising from cache collisions. We introduce CacheAttack, an automated framework for launching black-box collision attacks. We evaluate CacheAttack in security-critical tasks and agentic workflows. It achieves a hit rate of 86\% in LLM response hijacking and can induce malicious behaviors in LLM agent, while preserving strong transferability across different embedding models. A case study on a financial agent further illustrates the real-world impact of these vulnerabilities. Finally, we discuss mitigation strategies.