Beyond Text: Unveiling Privacy Vulnerabilities in Multi-modal Retrieval-Augmented Generation
Jiankun Zhang, Shenglai Zeng, Jie Ren, Tianqi Zheng, Hui Liu, Xianfeng Tang, Hui Liu, Yi Chang
TL;DR
This work conducts the first systematic study of privacy vulnerabilities in multimodal Retrieval-Augmented Generation (MRAG) systems, examining both Vision-Language RAG (VL-RAG) and Speech-Language RAG (SL-RAG). It introduces a practical black-box compositional prompt attack with an {information} and {command} structure to extract private data from external retrieval databases, showing both direct leakage (near-identical images or audio) and indirect leakage (detailed textual content) across three datasets. The experiments reveal substantial privacy risks across modalities, with ablations showing that leakage scales nonlinearly with retrieved content and is highly sensitive to prompt design and model parameters. The findings underscore an urgent need for privacy-preserving MRAG techniques and set a foundation for developing defenses against multi-modal data leakage in real-world applications.
Abstract
Multimodal Retrieval-Augmented Generation (MRAG) systems enhance LMMs by integrating external multimodal databases, but introduce unexplored privacy vulnerabilities. While text-based RAG privacy risks have been studied, multimodal data presents unique challenges. We provide the first systematic analysis of MRAG privacy vulnerabilities across vision-language and speech-language modalities. Using a novel compositional structured prompt attack in a black-box setting, we demonstrate how attackers can extract private information by manipulating queries. Our experiments reveal that LMMs can both directly generate outputs resembling retrieved content and produce descriptions that indirectly expose sensitive information, highlighting the urgent need for robust privacy-preserving MRAG techniques.