This work addresses the privacy risks inherent in federated large language models, where adapter-based parameter-efficient fine-tuning still exposes training data to leakage. The authors propose UTR, the first gradient inversion attack tailored to adapter architectures, which overcomes three key challenges—low-dimensional gradients, frozen backbone parameters, and combinatorial explosion—by analyzing attention patterns in the frozen backbone, performing sentence-level reconstruction within the low-rank adapter gradient subspace, and incorporating linguistic priors during decoding. Experiments demonstrate that UTR achieves remarkable reconstruction accuracy, exceeding 99% ROUGE-1/2 scores on models including GPT2-Large, BERT, and Qwen2.5-7B, substantially outperforming existing methods. These results expose a fundamental tension between parameter-efficient fine-tuning and data privacy in federated learning settings.

Adapter-based Federated Large Language Models (FedLLMs) are widely adopted to reduce the computational, storage, and communication overhead of full-parameter fine-tuning for web-scale applications while preserving user privacy. By freezing the backbone and training only compact low-rank adapters, these methods appear to limit gradient leakage and thwart existing Gradient Inversion Attacks (GIAs). Contrary to this assumption, we show that low-rank adapters create new, exploitable leakage channels. We propose the Unordered-word-bag-based Text Reconstruction (UTR) attack, a novel GIA tailored to the unique structure of adapter-based FedLLMs. UTR overcomes three core challenges: low-dimensional gradients, frozen backbones, and combinatorially large reconstruction spaces by: (i) inferring token presence from attention patterns in frozen layers, (ii) performing sentence-level inversion within the low-rank subspace of adapter gradients, and (iii) enforcing semantic coherence through constrained greedy decoding guided by language priors. Extensive experiments across diverse models (GPT2-Large, BERT, Qwen2.5-7B) and datasets (CoLA, SST-2, Rotten Tomatoes) demonstrate that UTR achieves near-perfect reconstruction accuracy (ROUGE-1/2>99), even with large batch size settings where prior GIAs fail completely. Our results reveal a fundamental tension between parameter efficiency and privacy in FedLLMs, challenging the prevailing belief that lightweight adaptation inherently enhances security. Our code and data are available at https://github.com/shwksnshwowk-wq/GIA.