{"ID":2831052,"CreatedAt":"2026-06-01T04:54:23.091178241Z","UpdatedAt":"2026-06-01T04:54:23.091178241Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2512.08289","arxiv_id":"2512.08289","title":"MIRAGE: Misleading Retrieval-Augmented Generation via Black-box and Query-agnostic Poisoning Attacks","abstract":"Retrieval-Augmented Generation (RAG) systems enhance LLMs with external knowledge but introduce a critical attack surface: corpus poisoning. While recent studies have demonstrated the potential of such attacks, they typically rely on impractical assumptions, such as white-box access or known user queries, thereby underestimating the difficulty of real-world exploitation. In this paper, we bridge this gap by proposing MIRAGE, a novel multi-stage poisoning pipeline designed for strict black-box and query-agnostic environments. Operating on surrogate model feedback, MIRAGE functions as an automated optimization framework that integrates three key mechanisms: it utilizes persona-driven query synthesis to approximate latent user search distributions, employs semantic anchoring to imperceptibly embed these intents for high retrieval visibility, and leverages an adversarial variant of Test-Time Preference Optimization (TPO) to maximize persuasion. To rigorously evaluate this threat, we construct a new benchmark derived from three long-form, domain-specific datasets. Extensive experiments demonstrate that MIRAGE significantly outperforms existing baselines in both attack efficacy and stealthiness, exhibiting remarkable transferability across diverse retriever-LLM configurations and highlighting the urgent need for robust defense strategies.","short_abstract":"Retrieval-Augmented Generation (RAG) systems enhance LLMs with external knowledge but introduce a critical attack surface: corpus poisoning. While recent studies have demonstrated the potential of such attacks, they typically rely on impractical assumptions, such as white-box access or known user queries, thereby under...","url_abs":"https://arxiv.org/abs/2512.08289","url_pdf":"https://arxiv.org/pdf/2512.08289v2","authors":"[\"Tailun Chen\",\"Yu He\",\"Yan Wang\",\"Shuo Shao\",\"Haolun Zheng\",\"Zhihao Liu\",\"Jinfeng Li\",\"Zhizhen Qin\",\"Yuefeng Chen\",\"Zhixuan Chu\",\"Zhan Qin\",\"Kui Ren\"]","published":"2025-12-09T06:38:16Z","proceeding":"cs.CR","tasks":"[\"cs.CR\"]","methods":"[\"RAG\",\"Large Language Model\"]","has_code":false}