LogicPoison: Logical Attacks on Graph Retrieval-Augmented Generation

arXiv cs.CL / 4/6/2026

📰 NewsSignals & Early TrendsIdeas & Deep AnalysisModels & Research

共有:

Key Points

GraphRAG improves LLM reasoning by grounding answers in knowledge graphs, and it is often viewed as resistant to classic RAG attacks like text poisoning and prompt injection.
The paper argues that GraphRAG’s security actually depends heavily on the graph’s topological/logical integrity, which attackers can corrupt without changing surface-level text.
It introduces LogicPoison, an attack framework that uses type-preserving entity swapping to disrupt both global connectivity (logic hubs) and query-specific multi-hop reasoning paths (reasoning bridges).
Experiments across multiple benchmarks show LogicPoison can bypass GraphRAG defenses with strong stealth, substantially degrading performance compared with state-of-the-art baselines.
The authors provide an open-source implementation of LogicPoison, enabling reproducibility and further security assessment of GraphRAG systems.

Abstract

Graph-based Retrieval-Augmented Generation (GraphRAG) enhances the reasoning capabilities of Large Language Models (LLMs) by grounding their responses in structured knowledge graphs. Leveraging community detection and relation filtering techniques, GraphRAG systems demonstrate inherent resistance to traditional RAG attacks, such as text poisoning and prompt injection. However, in this paper, we find that the security of GraphRAG systems fundamentally relies on the topological integrity of the underlying graph, which can be undermined by implicitly corrupting the logical connections, without altering surface-level text semantics. To exploit this vulnerability, we propose \textsc{LogicPoison}, a novel attack framework that targets logical reasoning rather than injecting false contents. Specifically, \textsc{LogicPoison} employs a type-preserving entity swapping mechanism to perturb both global logic hubs for disrupting overall graph connectivity and query-specific reasoning bridges for severing essential multi-hop inference paths. This approach effectively reroutes valid reasoning into dead ends while maintaining surface-level textual plausibility. Comprehensive experiments across multiple benchmarks demonstrate that \textsc{LogicPoison} successfully bypasses GraphRAG's defenses, significantly degrading performance and outperforming state-of-the-art baselines in both effectiveness and stealth. Our code is available at \textcolor{blue}https://github.com/Jord8061/logicPoison.