🤖 AI Summary
This work addresses the vulnerability of traditional retrieval-augmented generation (RAG) systems to malicious knowledge injection attacks, which are often easily detectable. The authors propose CAREATTACK, a novel framework that, for the first time, integrates closed-form parameter editing into dense retrievers to enable stealthy and efficient model-level attacks under the assumption of open access to retriever parameters. By combining graph-structured conflict detection with parameter projection, CAREATTACK employs a two-stage strategy—conflict-aware retriever editing followed by attack anchor refinement—to precisely inject malicious knowledge in response to batched target prompts while leaving non-target queries unaffected. Experimental results on three benchmark datasets demonstrate that CAREATTACK substantially elevates the retrieval rankings of adversarial passages, exposing critical security risks in open-source retrieval-augmented systems.
📝 Abstract
Injecting malicious knowledge into retrieval-augmented generation (RAG) systems can manipulate retrieved evidence and mislead downstream generation, posing a serious security threat for AI applications. Existing RAG injection attacks mainly rely on manipulating external knowledge bases, such as crafting malicious corpus. However, the synthetic text crafted by such data-centric methods could be detectable, leading to the failure of attacks. Beyond corpus manipulation, open-source retrievers are increasingly exposing RAG systems to model-centric attacks. In this paper, we propose conflict-aware retriever editing, i.e., CAREATTACK, a model-centric retriever attack framework for malicious knowledge injection in RAG. Specifically, CAREATTACK consists two stages of conflict-aware retriever editing and attack-preserving anchor repair. Conflict-aware retriever editing adapts efficient closed-form parameter editing to the dense retrieval model, promoting malicious knowledge above benign competing passages and resolving potential parameter conflicts through graph-based conflict detection and parameter editing projection. Then, attack-preserving anchor repair performs lightweight calibration on the edited retriever to further eliminate the impact on non-target prompts while preserving the attack effectiveness for target prompts. We instantiate CAREATTACK on Qwen3-Embedding-0.6B and BGE-M3, and conduct evaluation on three benchmark datasets. Experimental results demonstrate our method substantially promote malicious passages into the retrieved knowledge of RAG systems and can perform attacks for batches of target prompts and passages, given the access of retrieval model parameters. Since most RAG systems are built upon open-source retrieval models, this work reveals a practical attack surface in RAG systems. Codes are public accessible at https://anonymous.4open.science/r/CareAttack-3F1C.