Go to ICLR 2026 Conference homepageHow Much Can a Query Reveal? Structural Knowledge Stealing from Graph RAG via Traversal Reconstruction
Keywords: Graph Retrieval-Augmented Generation, Privacy Attack, Large Language Models
Abstract: Retrieval-Augmented Generation (RAG) has become a popular paradigm for enhancing large language models (LLMs) with external knowledge. Recent advances have extended this framework to structured data, leading to the emergence of Graph RAG systems that retrieve and reason over knowledge graphs. Despite their widespread applications, the privacy implications of such systems remain largely unexplored. In this work, we investigate a critical privacy vulnerability in Graph RAG systems: a significant portion of inherent structural knowledge can be easily exploited by malicious adversaries through carefully crafted queries, even under the black-box setting. We propose a query-based attack strategy that efficiently reconstructs knowledge graph including node-level and topology-level information, leveraging breadth-first traversal for untargeted attack and depth-first traversal for targeted attack. Experiments on generic and healthcare scenarios show that our method can recover over 90\% of the original knowledge graph from representative Graph RAG systems, exposing sensitive information with high fidelity. We further evaluate the efficacy of existing defense strategies and discuss primary challenges of safeguarding Graph RAG pipelines. To the best of our knowledge, this is the first systematic study of privacy risks in Graph RAG systems. Our findings underscore the urgent need for privacy-aware mechanisms in current graph retrieval-augmented AI systems.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 16653
Loading