attack 2026

Subgraph Reconstruction Attacks on Graph RAG Deployments with Practical Defenses

Minkyoo Song 1, Jaehan Kim 1, Myungchul Kang 2,1, Hanna Kim 1, Seungwon Shin 1, Sooel Son 1

1 KAIST

2 National Security Research Institute

0 citations · 36 references · arXiv (Cornell University)
α

Published on arXiv

2602.06495

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

GRASP achieves up to 82.9 F1 in type-faithful subgraph reconstruction against four safety-aligned LLMs where all prior extraction methods fail under realistic prompt-based safeguards.

GRASP

Novel technique introduced

Graph-based retrieval-augmented generation (Graph RAG) is increasingly deployed to support LLM applications by augmenting user queries with structured knowledge retrieved from a knowledge graph. While Graph RAG improves relational reasoning, it introduces a largely understudied threat: adversaries can reconstruct subgraphs from a target RAG system's knowledge graph, enabling privacy inference and replication of curated knowledge assets. We show that existing attacks are largely ineffective against Graph RAG even with simple prompt-based safeguards, because these attacks expose explicit exfiltration intent and are therefore easily suppressed by lightweight safe prompts. We identify three technical challenges for practical Graph RAG extraction under realistic safeguards and introduce GRASP, a closed-box, multi-turn subgraph reconstruction attack. GRASP (i) reframes extraction as a context-processing task, (ii) enforces format-compliant, instance-grounded outputs via per-record identifiers to reduce hallucinations and preserve relational details, and (iii) diversifies goal-driven attack queries using a momentum-aware scheduler to operate within strict query budgets. Across two real-world knowledge graphs, four safety-aligned LLMs, and multiple Graph RAG frameworks, GRASP attains the strongest type-faithful reconstruction where prior methods fail, reaching up to 82.9 F1. We further evaluate defenses and propose two lightweight mitigations that substantially reduce reconstruction fidelity without utility loss.

Key Contributions

  • GRASP: a closed-box, multi-turn subgraph reconstruction attack that reframes extraction as a context-processing task, uses per-record identifiers to reduce hallucinations, and employs a momentum-aware query scheduler to operate under strict query budgets
  • Empirical demonstration that existing attacks expose exfiltration intent and are easily suppressed by lightweight safe prompts, while GRASP bypasses these safeguards to achieve up to 82.9 F1 across four safety-aligned LLMs and multiple Graph RAG frameworks
  • Two lightweight defense mitigations that substantially reduce reconstruction fidelity without degrading RAG utility

🛡️ Threat Analysis

Details

Domains
nlpgraph
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Datasets
two real-world knowledge graphs (unspecified by name in available text)
Applications
graph rag systemsknowledge graph-augmented llm applications
Read PDF arXiv DOI

Similar Papers

attack

Exposing Privacy Risks in Graph Retrieval-Augmented Generation

2025 0 cit.
92%
attack

Stronger Re-identification Attacks through Reasoning and Aggregation

2025 0 cit.
77%
attack

An Invariant Latent Space Perspective on Language Model Inversion

2025 1 cit.
77%
attack

OptiLeak: Efficient Prompt Reconstruction via Reinforcement Learning in Multi-tenant LLM Services

2026 0 cit.
77%
benchmark

Retrieval Pivot Attacks in Hybrid RAG: Measuring and Mitigating Amplified Leakage from Vector Seeds to Graph Expansion

2026 0 cit.
77%
attack

Connect the Dots: Knowledge Graph-Guided Crawler Attack on Retrieval-Augmented Generation Systems

2026 0 cit.
77%
attack

Exposing LLM User Privacy via Traffic Fingerprint Analysis: A Study of Privacy Risks in LLM Agent Interactions

2025 2 cit.
75%
attack

Query-Efficient Agentic Graph Extraction Attacks on GraphRAG Systems

2026 0 cit.
Model Theft
75%