survey 2026

Securing Retrieval-Augmented Generation: A Taxonomy of Attacks, Defenses, and Future Directions

Yuming Xu 1, Mingtao Zhang 1, Zhuohan Ge 1, Haoyang Li 1, Nicole Hu 1, Jason Chen Zhang 1, Qing Li 1, Lei Chen 2

1 The Hong Kong Polytechnic University

2 The Hong Kong University of Science and Technology

0 citations
α

Published on arXiv

2604.08304

Prompt Injection

OWASP LLM Top 10 — LLM01

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

Reveals that current RAG defenses remain largely reactive and fragmented, lacking layered boundary-aware protection across the knowledge-access lifecycle

Retrieval-augmented generation (RAG) significantly enhances large language models (LLMs) but introduces novel security risks through external knowledge access. While existing studies cover various RAG vulnerabilities, they often conflate inherent LLM risks with those specifically introduced by RAG. In this paper, we propose that secure RAG is fundamentally about the security of the external knowledge-access pipeline. We establish an operational boundary to separate inherent LLM flaws from RAG-introduced or RAG-amplified threats. Guided by this perspective, we abstract the RAG workflow into six stages and organize the literature around three trust boundaries and four primary security surfaces, including pre-retrieval knowledge corruption, retrieval-time access manipulation, downstream context exploitation, and knowledge exfiltration. By systematically reviewing the corresponding attacks, defenses, remediation mechanisms, and evaluation benchmarks, we reveal that current defenses remain largely reactive and fragmented. Finally, we discuss these gaps and highlight future directions toward layered, boundary-aware protection across the entire knowledge-access lifecycle.

Key Contributions

  • Establishes operational boundary separating inherent LLM risks from RAG-introduced/amplified threats
  • Organizes RAG security literature around four security surfaces: pre-retrieval corruption, retrieval manipulation, context exploitation, and knowledge exfiltration
  • Systematically reviews attacks, defenses, remediation mechanisms, and benchmarks for secure external knowledge access

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Applications
retrieval-augmented generationknowledge-grounded llms
Read PDF arXiv

Similar Papers

defense

SD-RAG: A Prompt-Injection-Resilient Framework for Selective Disclosure in Retrieval-Augmented Generation

2026 1 cit.
83%
defense

Chain-of-Authorization: Internalizing Authorization into Large Language Models via Reasoning Trajectories

2026 0 cit.
83%
benchmark

A Practical Framework for Evaluating Medical AI Security: Reproducible Assessment of Jailbreaking and Privacy Vulnerabilities Across Clinical Specialties

2025 0 cit.
77%
defense

LeakSealer: A Semisupervised Defense for LLMs Against Prompt Injection and Leakage Attacks

2025 0 cit.
77%
benchmark

Automated Framework to Evaluate and Harden LLM System Instructions against Encoding Attacks

2026 0 cit.
77%
benchmark

A Comprehensive Evaluation of LLM Unlearning Robustness under Multi-Turn Interaction

2026 0 cit.
77%
attack

Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace

2026 0 cit.
77%
benchmark

Evaluating Language Model Reasoning about Confidential Information

2025 0 cit.
77%