Differential privacy (DP) is commonly employed to protect graph structures in graph neural network (GNN) explanations; however, this work reveals that significant privacy leakage risks persist despite such protections. To expose this vulnerability, we propose PRIVX, an attack method that models DP-perturbed GNN explanations as a forward diffusion process with known noise levels and reconstructs the original graph structure with high accuracy via conditional reverse diffusion. This study is the first to demonstrate that DP fails to adequately safeguard graph privacy in GNN explanations. We introduce a hierarchical adversarial framework, establish provable upper and lower bounds on attack AUC, and develop PRIVF—a diagnostic tool to decompose sources of leakage. Experiments show that under a standard privacy budget of ε=5, PRIVX achieves AUC scores above 0.7 on five out of seven benchmark datasets, confirming the feasibility of effective graph reconstruction.

Regulatory frameworks such as GDPR increasingly require that ML predictions be accompanied by post-hoc explanations, even when raw data and trained models cannot be released. Differential privacy (DP) is the standard mitigation for the residual privacy risk of releasing these explanations. We show that DP is not sufficient: an adversary observing only DP-perturbed GNN explanations can reconstruct hidden graph structure with high accuracy. Our attack, PRIVX, exploits the fact that the Gaussian DP mechanism is a single DDPM forward step at known noise level σ(ε), recasting reconstruction as reverse diffusion conditioned on the corrupted signal, a principled Bayesian denoiser under known DP corruption. We formalise a stratified adversary model parameterised by (M, \hatε, \hatδ, S, ρ) that interpolates between oblivious and oracle attackers, and derive endpoint-matched two-sided bounds on reconstruction AUC. For practitioners, we provide regime-stratified guidance on explainer choice: on homophilic graphs, neighbourhood-aggregating explainers (GraphLIME, GNNExplainer) leak more structure than per-node gradient explainers under the same DP budget; on strongly heterophilic graphs the ordering reverses. We introduce PRIVF as an auxiliary diagnostic sharing the same diffusion backbone to decompose leakage into explainer-induced and intrinsic graph-distribution components. Experiments across seven benchmarks, three DP mechanisms, and three GNN backbones show PRIVX achieves AUC above 0.7 at ε = 5 on five of seven datasets, with the attack succeeding well within typically deployed privacy budgets.