Retrieval Pivot Attacks in Hybrid RAG: Measuring and Mitigating Amplified Leakage from Vector Seeds to Graph Expansion

TL;DR

Hybrid RAG systems that combine vector retrieval with knowledge-graph expansion introduce a distinct cross-tenant leakage risk at the vector-to-graph pivot boundary. The authors formalize Retrieval Pivot Risk ($RPR$) and related metrics ($Leakage@k$, $AF$, $PD$), and demonstrate seven pivot attacks that exploit this boundary across synthetic and real corpora, even without adversarial injection. They show that per-hop authorization at the graph expansion boundary eliminates leakage ($RPR\approx 0$) with minimal latency, highlighting that boundary enforcement—not solely complex defenses—addresses the root cause. The study reveals a consistent Pivot Depth ($PD$) signature of 2 hops, confirming a structural property of bipartite chunk-entity graphs, and provides a practical defense-in-depth set of mitigations. Overall, the work offers actionable guidance for securing hybrid RAG deployments and emphasizes the need to recheck authorization at the transition point between components when composing secure retrieval modalities.

Abstract

Hybrid Retrieval-Augmented Generation (RAG) pipelines combine vector similarity search with knowledge graph expansion for multi-hop reasoning. We show that this composition introduces a distinct security failure mode: a vector-retrieved "seed" chunk can pivot via entity links into sensitive graph neighborhoods, causing cross-tenant data leakage that does not occur in vector-only retrieval. We formalize this risk as Retrieval Pivot Risk (RPR) and introduce companion metrics Leakage@k, Amplification Factor, and Pivot Depth (PD) to quantify leakage magnitude and traversal structure. We present seven Retrieval Pivot Attacks that exploit the vector-to-graph boundary and show that adversarial injection is not required: naturally shared entities create cross-tenant pivot paths organically. Across a synthetic multi-tenant enterprise corpus and the Enron email corpus, the undefended hybrid pipeline exhibits high pivot risk (RPR up to 0.95) with multiple unauthorized items returned per query. Leakage consistently appears at PD=2, which we attribute to the bipartite chunk-entity topology and formalize as a proposition. We then show that enforcing authorization at a single location, the graph expansion boundary, eliminates measured leakage (RPR near 0) across both corpora, all attack variants, and label forgery rates up to 10 percent, with minimal overhead. Our results indicate the root cause is boundary enforcement, not inherently complex defenses: two individually secure retrieval components can compose into an insecure system unless authorization is re-checked at the transition point.

Figures (4)

• Figure 1: Retrieval Pivot Risk with 95% bootstrap CIs across pipeline variants. P3 (undefended hybrid) shows $\text{RPR} \approx 0.95$. All defended variants (P4--P8) achieve $\text{RPR} = 0.0$.
• Figure 2: Traversal parameter sweep: context size vs. latency, colored by RPR. The total node budget is the primary leakage-controlling parameter.
• Figure 3: D1 robustness under metadata corruption. RPR remains 0.0 even at 5% mislabel rate. Context size decreases slightly as erroneously up-labeled nodes are filtered.
• Figure 4: Mean context size under progressive defenses. D1 alone reduces context from 110 to 50--56 items (removing unauthorized content). D3--D5 further reduce noise, reaching 19--20 items with the full defense stack.