Existing Retrieval-Augmented Generation (RAG) systems are vulnerable to knowledge base poisoning attacks; however, mainstream approaches require injecting large volumes of malicious texts to suppress correct answers—rendering them impractical in real-world deployments. Method: We propose the first single-sample, highly stealthy RAG poisoning attack: only one carefully crafted adversarial document is injected into the knowledge base to significantly mislead model outputs. Our method leverages semantic alignment and retrieval ranking manipulation, integrating query rewriting with vector-space perturbation to achieve targeted poisoning under minimal injection overhead (i.e., one document). Contribution/Results: Evaluated across multiple benchmark datasets, our attack achieves substantially higher success rates than prior methods. It is the first to empirically demonstrate that real-world RAG deployments can suffer catastrophic failures from a single-point poisoning event—thereby revealing a critical, previously underestimated security threat. This work provides both a novel conceptual framework and empirical evidence to advance research on RAG robustness and adversarial resilience.

Large language models (LLMs) have demonstrated impressive natural language processing abilities but face challenges such as hallucination and outdated knowledge. Retrieval-Augmented Generation (RAG) has emerged as a state-of-the-art approach to mitigate these issues. While RAG enhances LLM outputs, it remains vulnerable to poisoning attacks. Recent studies show that injecting poisoned text into the knowledge database can compromise RAG systems, but most existing attacks assume that the attacker can insert a sufficient number of poisoned texts per query to outnumber correct-answer texts in retrieval, an assumption that is often unrealistic. To address this limitation, we propose CorruptRAG, a practical poisoning attack against RAG systems in which the attacker injects only a single poisoned text, enhancing both feasibility and stealth. Extensive experiments across multiple datasets demonstrate that CorruptRAG achieves higher attack success rates compared to existing baselines.