This work uncovers an implicit privacy risk in federated unlearning (FU): existing methods prioritize efficiency over security, rendering them vulnerable to server-side inversion attacks. To address this, the authors propose Federated Unlearning Inversion Attack (FUIA), the first unified framework targeting sample-, client-, and class-level unlearning scenarios. FUIA exploits observable model parameter differences before and after unlearning at the server—leveraging gradient differential analysis, optimization-driven feature reconstruction, and label inference to recover forgotten data. Extensive experiments across multiple benchmark datasets demonstrate its efficacy, achieving image reconstruction PSNR >25 dB and label inference accuracy >85%. This study provides the first systematic evidence that FU may exacerbate—not mitigate—privacy leakage. Furthermore, it reveals that prevailing defense mechanisms severely compromise unlearning effectiveness as a trade-off for marginal privacy gains.

With the introduction of regulations related to the ``right to be forgotten", federated learning (FL) is facing new privacy compliance challenges. To address these challenges, researchers have proposed federated unlearning (FU). However, existing FU research has primarily focused on improving the efficiency of unlearning, with less attention paid to the potential privacy vulnerabilities inherent in these methods. To address this gap, we draw inspiration from gradient inversion attacks in FL and propose the federated unlearning inversion attack (FUIA). The FUIA is specifically designed for the three types of FU (sample unlearning, client unlearning, and class unlearning), aiming to provide a comprehensive analysis of the privacy leakage risks associated with FU. In FUIA, the server acts as an honest-but-curious attacker, recording and exploiting the model differences before and after unlearning to expose the features and labels of forgotten data. FUIA significantly leaks the privacy of forgotten data and can target all types of FU. This attack contradicts the goal of FU to eliminate specific data influence, instead exploiting its vulnerabilities to recover forgotten data and expose its privacy flaws. Extensive experimental results show that FUIA can effectively reveal the private information of forgotten data. To mitigate this privacy leakage, we also explore two potential defense methods, although these come at the cost of reduced unlearning effectiveness and the usability of the unlearned model.