RAG systems are vulnerable to knowledge contamination attacks, yet existing methods target only domain-specific or semantically similar queries, lacking cross-domain generalizability. This paper proposes the first general-purpose knowledge contamination attack framework capable of handling diverse topics and domains. We formulate the attack as a multi-query joint optimization problem, introduce a balance-aware similarity-based clustering strategy to select high-impact passages, and jointly optimize adversarial content to enhance cross-domain transferability. Experiments demonstrate that injecting merely 100 adversarial passages into a million-document corpus achieves over 90% attack success rate across 2,000 user queries spanning heterogeneous domains—substantially outperforming prior approaches. Moreover, mainstream defense mechanisms prove largely ineffective against this generalized attack. Our work uncovers a fundamental vulnerability of RAG systems in open-world settings and establishes a new benchmark and cautionary insight for robustness research.

Retrieval-augmented generation (RAG) systems are widely deployed in real-world applications in diverse domains such as finance, healthcare, and cybersecurity. However, many studies showed that they are vulnerable to knowledge corruption attacks, where an attacker can inject adversarial texts into the knowledge database of a RAG system to induce the LLM to generate attacker-desired outputs. Existing studies mainly focus on attacking specific queries or queries with similar topics (or keywords). In this work, we propose UniC-RAG, a universal knowledge corruption attack against RAG systems. Unlike prior work, UniC-RAG jointly optimizes a small number of adversarial texts that can simultaneously attack a large number of user queries with diverse topics and domains, enabling an attacker to achieve various malicious objectives, such as directing users to malicious websites, triggering harmful command execution, or launching denial-of-service attacks. We formulate UniC-RAG as an optimization problem and further design an effective solution to solve it, including a balanced similarity-based clustering method to enhance the attack's effectiveness. Our extensive evaluations demonstrate that UniC-RAG is highly effective and significantly outperforms baselines. For instance, UniC-RAG could achieve over 90% attack success rate by injecting 100 adversarial texts into a knowledge database with millions of texts to simultaneously attack a large set of user queries (e.g., 2,000). Additionally, we evaluate existing defenses and show that they are insufficient to defend against UniC-RAG, highlighting the need for new defense mechanisms in RAG systems.