ML Security PapersUniC-RAG: Universal Knowledge Corruption Attacks to Retrieval-Augmented Generation
Runpeng Geng , Yanting Wang , Ying Chen , Jinyuan Jia
Published on arXiv
2508.18652
Input Manipulation Attack
OWASP ML Top 10 — ML01
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Achieves over 90% attack success rate by injecting 100 adversarial texts into a database with millions of entries to simultaneously attack 2,000 diverse user queries, outperforming all baselines.
UniC-RAG
Novel technique introduced
Retrieval-augmented generation (RAG) systems are widely deployed in real-world applications in diverse domains such as finance, healthcare, and cybersecurity. However, many studies showed that they are vulnerable to knowledge corruption attacks, where an attacker can inject adversarial texts into the knowledge database of a RAG system to induce the LLM to generate attacker-desired outputs. Existing studies mainly focus on attacking specific queries or queries with similar topics (or keywords). In this work, we propose UniC-RAG, a universal knowledge corruption attack against RAG systems. Unlike prior work, UniC-RAG jointly optimizes a small number of adversarial texts that can simultaneously attack a large number of user queries with diverse topics and domains, enabling an attacker to achieve various malicious objectives, such as directing users to malicious websites, triggering harmful command execution, or launching denial-of-service attacks. We formulate UniC-RAG as an optimization problem and further design an effective solution to solve it, including a balanced similarity-based clustering method to enhance the attack's effectiveness. Our extensive evaluations demonstrate that UniC-RAG is highly effective and significantly outperforms baselines. For instance, UniC-RAG could achieve over 90% attack success rate by injecting 100 adversarial texts into a knowledge database with millions of texts to simultaneously attack a large set of user queries (e.g., 2,000). Additionally, we evaluate existing defenses and show that they are insufficient to defend against UniC-RAG, highlighting the need for new defense mechanisms in RAG systems.
Key Contributions
- UniC-RAG: first universal RAG knowledge corruption attack optimizing a small adversarial text set to simultaneously attack thousands of topically diverse queries
- Balanced similarity-based clustering method to enhance cross-domain adversarial text effectiveness
- Empirical demonstration that existing RAG defenses are insufficient, with >90% attack success rate injecting only 100 texts into a millions-entry knowledge base
🛡️ Threat Analysis
Adversarial document injection into a RAG retrieval system — texts are optimized via an optimization problem to be retrieved and manipulate downstream LLM outputs, matching the explicit ML01 dual-tagging scenario for adversarial document injection in RAG pipelines.