system: OPERATIONAL
← back to all hacks
INDIRECT INJECTION MEDIUM NEW

Kidnapping the reasoning chain: black-box poisoning of agentic RAG

A July 2026 paper shows attackers who can only publish web documents can hijack an agentic RAG system's multi-step reasoning — no access to prompts, retrievers, or weights required.

2026-07-06 // 6 min affects: agentic-rag, rag-agents, llm-agents, tool-calling-agents

What is this?

Classic retrieval-augmented generation (RAG) does one retrieval, stuffs the results into the prompt, and answers. That single step is easy to poison: publish a document that ranks for the query, and the model may repeat whatever you wrote. Agentic RAG was supposed to be harder to fool, because it retrieves and reasons in a loop — reformulating the query, fetching again, and discarding weakly relevant hits — so a lone poisoned document tends to get filtered out along the way.

A paper published on arXiv on 1 July 2026, KidnapRAG: A Black-Box Attack for Hijacking Reasoning in Agentic Retrieval-Augmented Generation Systems (arXiv:2607.00422), argues that this added robustness is thinner than it looks. The authors show that an attacker who can only publish externally retrievable documents — the realistic case for anyone targeting a system that reads the open web or a shared corpus — can still steer the agent’s whole reasoning chain, without any access to its system prompt, reasoning traces, retriever, or model weights.

How it works

The key idea is to stop thinking of a poisoned document as a one-shot payload and start thinking of it as one move in a multi-turn sequence, mirroring how the agent itself works. KidnapRAG plants a small set of documents that play three distinct roles across the retrieval loop.

The first role is a bait document, whose job is simply to be attractive enough to the user’s original query to get pulled into the first retrieval. The second is a chain-link document, which nudges the agent’s next query reformulation in a direction the attacker chose — bending the loop away from its original intent rather than fighting it head-on. The third is a malicious-instruction document that supplies the attacker-controlled “evidence” the agent then reasons over once it has been steered onto that path. Because each document only has to win one weakly-contested step, none of them needs to look like an obvious injection, and the iterative loop that was meant to filter noise instead carries the manipulation forward.

The authors report that, across multiple agentic RAG frameworks, several LLM backbones, and standard benchmarks, this sequential approach consistently outperforms earlier poisoning baselines under black-box conditions. Their analysis traces why: the attack progressively weakens the original retrieval intent, redirects retrieval behaviour turn by turn, and increases the agent’s reliance on the attacker’s evidence as the loop proceeds. This is a black-box continuation of a broader 2025–2026 line of work on query-agnostic corpus poisoning such as MIRAGE (arXiv:2512.08289).

Why it matters

The uncomfortable part is the threat model. This is not a jailbreak typed into a chat box, and it does not require insider access. Any pipeline that retrieves from a corpus an outsider can contribute to — public web pages, a wiki, a customer knowledge base, an indexed ticket system — is in scope. The “agentic” defenses that teams increasingly rely on (multi-hop retrieval, self-reflection, query rewriting) are exactly the mechanism the attack rides on, so treating iteration as a security feature is a mistake.

The impact is also quieter than a refusal-bypass. A hijacked reasoning chain can surface attacker-chosen conclusions, citations, or recommendations that look well-sourced because the agent genuinely retrieved and reasoned over them. In decision-support, research, or coding-assistant settings, that is a credibility and integrity problem, not just a content-safety one.

Defenses

No single control stops corpus poisoning; the goal is to keep untrusted retrieved text from silently becoming trusted evidence.

Track provenance through the loop. Tag every retrieved chunk with its source and trust level, and carry that label through each retrieval-reasoning hop. Information-flow-control defenses such as Cordon-MAS (arXiv:2605.26754) formalise exactly this — preventing low-trust content from steering high-trust decisions.

Constrain query reformulation. The attack works by bending the agent’s next query. Bound how far reformulations may drift from the user’s original intent, and flag reformulations that swing sharply toward a newly-introduced topic.

Diversify and cross-check retrieval. Require corroboration from independent, higher-trust sources before acting on a claim, and down-weight conclusions that rest on a single freshly-published or low-reputation document.

Curate contributable corpora. For knowledge bases outsiders can write to, apply admission controls, reputation signals, and anomaly detection on newly indexed documents rather than trusting the index by default.

Test with agentic, multi-step poisoning. Red-team the whole loop, not one retrieval. Evaluations that only inject a single document will miss sequential attacks that exploit reformulation.

Status

AspectDetail
SourceKidnapRAG (arXiv:2607.00422), submitted 1 July 2026
ClassBlack-box knowledge/corpus poisoning of agentic RAG — reasoning-chain hijack
Threat modelAttacker publishes externally retrievable documents only; no access to prompts, retriever, traces, or weights
MethodSequential poisoning via role-specific documents (bait, chain-link, malicious-instruction)
ScopeMultiple agentic RAG frameworks and LLM backbones (per authors)
NatureResearch finding / benchmark — no CVE, not a report of active in-the-wild exploitation

Sources