Search papers, labs, and topics across Lattice.
This paper investigates the vulnerabilities of Retrieval-Augmented Generation (RAG) systems to corpus poisoning attacks within realistic multi-stage retrieval pipelines that include document chunking and reranking. The authors find that many existing poisoning attacks lose effectiveness after reranking due to a mismatch in retrieval granularity, which fragments adversarial signals. To address this, they introduce Chunk-aware and Rerank-Consistent Poisoning (CRCP), a novel framework that optimizes for both retrieval relevance and reranker consistency, demonstrating significantly improved attack success rates across various retrieval configurations.
Existing corpus poisoning attacks falter in realistic RAG systems, but the new CRCP framework ensures adversarial effectiveness by aligning chunking and reranking processes.
Retrieval-Augmented Generation (RAG) systems are vulnerable to corpus poisoning attacks that manipulate downstream model outputs through malicious knowledge injection. Existing studies mainly evaluate poisoning under simplified retrieval settings, overlooking practical RAG pipelines involving document chunking, dense retrieval, reranking, and grounded generation. In this paper, we revisit corpus poisoning under realistic multi-stage retrieval pipelines and show that many existing attacks substantially degrade after reranking despite achieving high retrieval-stage relevance. We identify retrieval granularity mismatch as a key reason for this failure: document-level adversarial signals are often fragmented during chunking, while rerankers favor locally coherent and answer-bearing passages rather than globally optimized semantic similarity. Based on this observation, we propose Chunk-aware and Rerank-Consistent Poisoning (CRCP), a poisoning framework that jointly optimizes retrieval relevance, reranker consistency, and chunk-boundary robustness. CRCP explicitly models chunking transformations during optimization to generate locally self-contained adversarial passages that remain effective under varying chunking configurations. Experiments on standard RAG benchmarks with multiple retrievers and rerankers show that existing poisoning methods are highly sensitive to chunk size and reranking strategies, whereas CRCP achieves substantially higher attack success rates and stronger robustness across realistic retrieval pipelines. Our findings highlight an important realism gap in current RAG security evaluation and suggest that poisoning in modern RAG systems should be studied as a multi-stage retrieval consistency problem rather than a retrieval-only problem.