[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-83847-en":3,"doc-seo-83847-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},83847,8796095462418,"Noah","https://ap-avatar.wpscdn.com/avatar/80000253c1241d02b47?x-image-process=image/resize,m_fixed,w_180,h_180&k=1778826106357471780",8,"Research & Report","FORGE Research Trajectory Hijacking Attacks on Deep Research Agents","Deep research agents break open-ended queries into subtasks, retrieve web evidence across multiple rounds, and synthesize long-form reports. This workflow introduces a planning-layer poisoning surface: adversarial documents entering the retrieval pool can steer subsequent questions and amplify a local injection into report-level contamination. The paper proposes FORGE, a two-level attack combining fabricated intra-document reasoning with inter-document coordination to hijack subtask planning. It introduces PRISM to quantify claim impact by cognitive type and a defense, Root Query Anchoring, that constrains recursive drift.","FORGE: Research-Trajectory Hijacking Attacks on Deep Research Agents  \nYue Pan1 * Ziheng Zhang2 * Junxiang Lei1 Changhao Jia1 Qingyi Si3† Hongcheng Guo 1†  \n1Fudan University 2Huazhong University of Science and Technology  \n3Explore Academy, JD  \narXiv :2607 .047 18v 1 [ cs .AI] 6 Jul 2026  \nAbstract  \nDeep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planninglayer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into reportlevel contamination. We present FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-level attack that combines intra-document reasoning fabrication with inter-document chain coordination to hijack subtask planning. We further introduce PRISM metric, which weights infected report claims by cognitive type, and Root Query Anchoring, a lightweight defense that ties recursive follow-up generation to the root query. Across 25 queries, Network FORGE reaches 26.4% PRISM with five injected documents and exhibits depth migration, in which recursive synthesis shifts poisoned content from overt framing into factual premises. On the 10-query defense subset, RQA (Root Query Anchoring) reduces PRISM from 38.5% to  \n18.3% . Code is available at [https://github](https://github). com/yvepan/FORGE.  \n1 Introduction  \nDeep research agents have turned web retrieval into long-form analytical work: they decompose a user query into subtasks, retrieve evidence over multiple rounds, and synthesize citation-grounded reports, following the planning– acquisition–generation structure documented in recent surveys (Shi et al., 2025) . Platforms such as gpt-researcher (Elovic, 2023) and OpenAI Deep Research (OpenAI, 2025a) now automate workflows that previously required hours of expert effort, spanning competitive intelligence, medical  \n* Equal contribution.† Corresponding authors.  \nliterature review, policy analysis, and scientific discovery (Muthusamy et al., 2023) . However, this capability creates a new security dependency: early retrieved evidence can shape not only what the agent writes, but also what it decides to investigate next. This retrieval–planning coupling creates a distinct attack surface: unlike standard RAG, where poisoning remains confined to a single retrieval step, adversarial content in deep research agents can propagate through successive planning rounds into report-level contamination.  \nPrior poisoning attacks on retrieval-augmented systems (Zou et al., 2025 ; Zhong et al., 2023) show that a small number of adversarial passages can mislead single-hop QA, and their corresponding defenses target retrieval or generation in isolation. This isolation breaks down in deep research agents because retrieval is coupled to planning: the agent first queries the document pool to form a research plan, then retrieves fresh evidence for each planned subtask, and finally synthesizes the findings into a report. Adversarial documents that enter the initial retrieval can therefore steer the planner into generating aligned subtasks—each of which pulls further poisoned evidence in subsequent rounds, compounding contamination before synthesis even begins. Defenses that sanitize individual retrieval calls or filter output passages do not address this compounding effect, leaving the planning-layer attack surface unexplored.  \nWe address this planning-layer gap with three contributions, illustrated in Fig. 1. The core attack, FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), is a two-level construction: at the document level, each adversarial document embeds an internal reasoning chain that presents the target claim as a derived conclusion rather than a bare assertion; at the set level, FORGE distributes a coordinated argument across documents so the poisoned set reads as convergent multi-source evi","cbCaioYqYaerCwLK","https://ap.wps.com/l/cbCaioYqYaerCwLK","pdf",1055641,1,20,"English","en",105,"# Abstract\n# Introduction\n# Related Work\n## Deep Research Agents","[{\"question\":\"What threat do the authors identify for deep research agents?\",\"answer\":\"They identify planning-layer poisoning, where adversarial documents influence not only what the agent writes but also what it plans to investigate next across multiple retrieval rounds, leading to report-level contamination.\"},{\"question\":\"How does FORGE execute the attack?\",\"answer\":\"FORGE uses a two-level strategy: it embeds fabricated reasoning within each adversarial document and coordinates argument flow across multiple documents so the set appears as convergent multi-source evidence that steers follow-up subtasks.\"},{\"question\":\"What are PRISM and Root Query Anchoring (RQA), and how do they relate to defense?\",\"answer\":\"PRISM measures severity by weighting infected report claims by cognitive type, capturing compromised reasoning weight. Root Query Anchoring is a lightweight defense that reinjects the root query during recursive follow-up generation to limit subtask drift and reduce PRISM.\"}]",1784190946,50,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"forge-research-trajectory-hijacking-attacks-on-deep-research-agents","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/forge-research-trajectory-hijacking-attacks-on-deep-research-agents/83847/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What threat do the authors identify for deep research agents?","Question",{"text":75,"@type":76},"They identify planning-layer poisoning, where adversarial documents influence not only what the agent writes but also what it plans to investigate next across multiple retrieval rounds, leading to report-level contamination.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does FORGE execute the attack?",{"text":80,"@type":76},"FORGE uses a two-level strategy: it embeds fabricated reasoning within each adversarial document and coordinates argument flow across multiple documents so the set appears as convergent multi-source evidence that steers follow-up subtasks.",{"name":82,"@type":73,"acceptedAnswer":83},"What are PRISM and Root Query Anchoring (RQA), and how do they relate to defense?",{"text":84,"@type":76},"PRISM measures severity by weighting infected report claims by cognitive type, capturing compromised reasoning weight. Root Query Anchoring is a lightweight defense that reinjects the root query during recursive follow-up generation to limit subtask drift and reduce PRISM.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,114,119,122,126,129,133],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":28,"slug":113},6,"Technology","technology",{"id":115,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":120,"slug":121},30,"research-report",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":21,"slug":125},9,"Religion & Spirituality","religion-spirituality",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":127,"show_sort_weight":21,"slug":128},"World Cup","world-cup",{"id":130,"doc_module":4,"doc_module_name":45,"category_name":131,"show_sort_weight":130,"slug":132},10,"Lifestyle","lifestyle",{"id":134,"doc_module":4,"doc_module_name":45,"category_name":135,"show_sort_weight":106,"slug":136},19,"General","general"]