Search papers, labs, and topics across Lattice.
This paper introduces KidnapRAG, a novel black-box poisoning attack designed to compromise Agentic Retrieval-Augmented Generation (RAG) systems by manipulating their reasoning processes. By utilizing a strategic combination of three role-specific documents鈥擝ait, Chain-Link, and Mal-Ins鈥攖he attack effectively hijacks the multi-step reasoning chain, leading to significant deviations in the model's output. Experimental results demonstrate that KidnapRAG consistently outperforms existing black-box poisoning methods across various frameworks and benchmarks, highlighting the vulnerabilities of Agentic RAG systems to such attacks.
KidnapRAG reveals how a clever sequence of poisoned documents can subvert the reasoning of advanced RAG systems, showcasing a critical vulnerability in their design.
Retrieval-Augmented Generation (RAG) systems are vulnerable to poisoning attacks that inject malicious documents into the retrieval process to manipulate model outputs. Recent Agentic RAG systems are more robust to such attacks because they iteratively perform retrieval and reasoning, allowing them to ignore weakly relevant poisoned documents and preserve the reasoning chain induced by the user query. However, existing attacks on Agentic RAG systems often assume white-box access to system prompts, reasoning traces, retrievers, or model parameters, limiting their applicability in realistic settings. In this paper, we study black-box poisoning attacks against Agentic RAG systems, where the attacker can only publish externally retrievable poisoned documents. We propose KidnapRAG, a sequential poisoning attack that hijacks the agent's multi-step reasoning chain using three role-specific documents: Bait, Chain-Link, and Mal-Ins, which attract initial retrieval, induce query reformulation, and provide attacker-controlled evidence, respectively. Experiments across multiple Agentic RAG frameworks, LLM backbones, and benchmarks show that KidnapRAG consistently outperforms existing poisoning baselines under black-box conditions. Further analyses show that KidnapRAG progressively weakens the original retrieval intent, redirects retrieval behavior, and increases reliance on attacker-controlled evidence. Our code is publicly available at https://github.com/chanwoochoi316/KidnapRAG.