Table of Contents
Fetching ...

Query-Efficient Agentic Graph Extraction Attacks on GraphRAG Systems

Shuhua Yang, Jiahao Zhang, Yilong Wang, Dongwon Lee, Suhang Wang

TL;DR

This work formalizes the risk of reconstructing a GraphRAG’s latent knowledge graph under budgeted, black-box access and introduces AGEA, a memory-augmented, agentic attack that uses novelty-guided exploration–exploitation and a two-stage discovery+filtering pipeline. AGEA leverages external graph memory to maintain long-horizon context and applies regex-based discovery plus LLM-based filtering to incrementally reconstruct the graph with high precision, outperforming baselines across medical, agriculture, and novel-domain datasets in two GraphRAG systems. Empirical results show AGEA can recover up to 90% of nodes and edges under identical query budgets, demonstrating significant privacy risks inherent in graph-augmented retrieval systems. The findings motivate defenses such as retrieval-time filtering and response sanitization, and call for standardized benchmarks to evaluate and mitigate graph-level leakage in GraphRAG architectures.

Abstract

Graph-based retrieval-augmented generation (GraphRAG) systems construct knowledge graphs over document collections to support multi-hop reasoning. While prior work shows that GraphRAG responses may leak retrieved subgraphs, the feasibility of query-efficient reconstruction of the hidden graph structure remains unexplored under realistic query budgets. We study a budget-constrained black-box setting where an adversary adaptively queries the system to steal its latent entity-relation graph. We propose AGEA (Agentic Graph Extraction Attack), a framework that leverages a novelty-guided exploration-exploitation strategy, external graph memory modules, and a two-stage graph extraction pipeline combining lightweight discovery with LLM-based filtering. We evaluate AGEA on medical, agriculture, and literary datasets across Microsoft-GraphRAG and LightRAG systems. Under identical query budgets, AGEA significantly outperforms prior attack baselines, recovering up to 90% of entities and relationships while maintaining high precision. These results demonstrate that modern GraphRAG systems are highly vulnerable to structured, agentic extraction attacks, even under strict query limits.

Query-Efficient Agentic Graph Extraction Attacks on GraphRAG Systems

TL;DR

This work formalizes the risk of reconstructing a GraphRAG’s latent knowledge graph under budgeted, black-box access and introduces AGEA, a memory-augmented, agentic attack that uses novelty-guided exploration–exploitation and a two-stage discovery+filtering pipeline. AGEA leverages external graph memory to maintain long-horizon context and applies regex-based discovery plus LLM-based filtering to incrementally reconstruct the graph with high precision, outperforming baselines across medical, agriculture, and novel-domain datasets in two GraphRAG systems. Empirical results show AGEA can recover up to 90% of nodes and edges under identical query budgets, demonstrating significant privacy risks inherent in graph-augmented retrieval systems. The findings motivate defenses such as retrieval-time filtering and response sanitization, and call for standardized benchmarks to evaluate and mitigate graph-level leakage in GraphRAG architectures.

Abstract

Graph-based retrieval-augmented generation (GraphRAG) systems construct knowledge graphs over document collections to support multi-hop reasoning. While prior work shows that GraphRAG responses may leak retrieved subgraphs, the feasibility of query-efficient reconstruction of the hidden graph structure remains unexplored under realistic query budgets. We study a budget-constrained black-box setting where an adversary adaptively queries the system to steal its latent entity-relation graph. We propose AGEA (Agentic Graph Extraction Attack), a framework that leverages a novelty-guided exploration-exploitation strategy, external graph memory modules, and a two-stage graph extraction pipeline combining lightweight discovery with LLM-based filtering. We evaluate AGEA on medical, agriculture, and literary datasets across Microsoft-GraphRAG and LightRAG systems. Under identical query budgets, AGEA significantly outperforms prior attack baselines, recovering up to 90% of entities and relationships while maintaining high precision. These results demonstrate that modern GraphRAG systems are highly vulnerable to structured, agentic extraction attacks, even under strict query limits.
Paper Structure (47 sections, 11 equations, 6 figures, 10 tables)

This paper contains 47 sections, 11 equations, 6 figures, 10 tables.

Figures (6)

  • Figure 1: Proposed Agentic Graph Extraction Attack.
  • Figure 2: M-GraphRAG Cumulative KG Leakage over query turns.
  • Figure 3: Extraction command ablation on the Medical dataset using M-GraphRAG with a 250 query budget.
  • Figure 4: Cumulative KG Leakage on Novel Dataset.
  • Figure 5: Cumulative Importance-based Node Leakage over query turns for M-GraphRAG.
  • ...and 1 more figures