[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-82513-en":3,"doc-seo-82513-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},82513,687197100911,"Himbo","https://ap-avatar.wpscdn.com/avatar/a000239b6f1da00475?x-image-process=image/resize,m_fixed,w_180,h_180&k=1782698725881665579",8,"Research & Report","KidnapRAG A Black-Box Attack for Hijacking Reasoning in Agentic Retrieval-Augmented Generation Systems","Retrieval-Augmented Generation (RAG) systems are susceptible to poisoning attacks that insert malicious documents into retrieval to steer model outputs. Agentic RAG mitigates these threats by iteratively retrieving and reasoning, often discarding weakly related poisons and preserving the user-induced reasoning chain. Existing Agentic RAG attacks typically require white-box access to prompts, traces, retrievers, or parameters. KidnapRAG studies black-box poisoning where attackers can only publish externally retrievable documents, using Bait, Chain-Link, and Mal-Ins to sequentially hijack multistep reasoning and evidence, validated across multiple frameworks and benchmarks.","KidnapRAG: A Black-Box Attack for Hijacking Reasoning in Agentic Retrieval-Augmented Generation Systems  \nChanwoo Choi 1 ,† Euntae Kim 1 ,† Kyuho Lee 1 ,† Youngsam Chun2 Jinhee Jeong2 Eunmi Kim2 Myunggyo Oh2 Junseo Jang2 Buru Chang 1 ,∗  \n1 Korea University 2 KT Corporation  \n{ccw316,untae0122,kyuholee,[buru_chang}@korea.ac.kr](buru_chang}@korea.ac.kr)[ ](buru_chang}@korea.ac.kr){ys.chun,jini.jeong,[em.kim](em.kim),mg .oh,[junseo.jang}@kt.com](junseo.jang}@kt.com)  \narXiv :2607 .00422v 1 [ cs .CR] 1 Jul 2026  \nAbstract  \nRetrieval-Augmented Generation (RAG) systems are vulnerable to poisoning attacks that inject malicious documents into the retrieval process to manipulate model outputs. Recent Agentic RAG systems are more robust to such attacks because they iteratively perform retrieval and reasoning, allowing them to ignore weakly relevant poisoned documents and preserve the reasoning chain induced by the user query. However, existing attacks on Agentic RAG systems often assume white-box access to system prompts, reasoning traces, retrievers, or model parameters, limiting their applicability in realistic settings. In this paper, we study black-box poisoning attacks against Agentic RAG systems, where the attacker can only publish externally retrievable poisoned documents. We propose KidnapRAG, a sequential poisoning attack that hijacks the agent’s multistep reasoning chain using three role-specific documents: Bait, Chain-Link, and Mal-Ins, which attract initial retrieval, induce query reformulation, and provide attacker-controlled evidence, respectively. Experiments across multiple Agentic RAG frameworks, LLM backbones, and benchmarks show that KidnapRAG consistently outperforms existing poisoning baselines under black-box conditions. Further analyses show that KidnapRAG progressively weakens the original retrieval intent, redirects retrieval behavior, and increases reliance on attacker-controlled evidence. Our code is publicly available at [https://github.com/](https://github.com/)[ ](https://github.com/)chanwoochoi316/KidnapRAG.  \n1 Introduction  \nRetrieval-Augmented Generation (RAG) systems (Lewis et al., 2020 ; Izacard and Grave, 2021) have become a standard paradigm for augmenting Large Language Models (LLMs) with external knowledge. However, their reliance on retrieved  \n†Equal contribution.  \n* Corresponding author.  \nFigure 1: Comparison between previous attacks and KidnapRAG in Agentic RAG systems. Previous attacks fail because they cannot hijack the agent’s reasoning chain, whereas KidnapRAG controls the reasoning chain to induce the attacker-intended target answer.  \ndocuments introduces a critical security risk: adversaries can inject poisoned documents into the retrieval corpus to manipulate model outputs (Choi et al., 2025 ; Chen et al., 2025) . Prior RAG poisoning attacks have shown that conventional RAG systems are vulnerable to such threats, as they typically perform retrieval once and generate responses directly from the retrieved evidence.  \nRecent Agentic RAG systems (Yao et al., 2022 ; Li et al., 2025, 2026 ; Dong et al., 2026) change this attack surface. Unlike conventional RAG, Agentic RAG iteratively performs retrieval, observation, reasoning, and action, enabling follow-up searches and multi-step refinement. This design supports complex information needs and has been adopted in advanced RAG services such as Deep Research in ChatGPT and Gemini. However, it also makes existing black-box RAG poisoning attacks less effective. As illustrated in Figure 1, a poisoned document retrieved at an intermediate step does not necessarily determine the final response. Because the agent can compare retrieved evidence with its current reasoning state, discard weakly relevant information, and continue searching, poisoned documents designed for single-step RAG often fail to alter the reasoning chain induced by the user query.  \nFigure 2: Exposed reasoning processes in real-world Agentic RAG systems. The systems reveal int","cbCaiktzlSSDPE30","https://ap.wps.com/l/cbCaiktzlSSDPE30","pdf",2267536,1,24,"English","en",105,"# Introduction\n## Retrieval-Augmented Generation and poisoning risk\n## Agentic RAG attack surface and limitations of prior attacks\n## Proposed black-box threat model for KidnapRAG\n# KidnapRAG: sequential hijacking mechanism\n## Bait document: initial retrieval attraction\n## Chain-Link document: sustaining the hijacked chain\n## Mal-Ins document: attacker-controlled evidence\n# Evaluation and results","[{\"question\":\"What makes Agentic RAG systems more robust than conventional RAG against poisoning attacks?\",\"answer\":\"Agentic RAG iteratively performs retrieval, observation, reasoning, and actions, allowing it to compare retrieved evidence with its current reasoning state, discard weakly relevant information, and continue searching. This can prevent single-step poisoned documents from determining the final response.\"},{\"question\":\"What is the black-box attacker capability assumed in KidnapRAG?\",\"answer\":\"The attacker can only publish externally retrievable poisoned documents to sources that the agent may be indexed and retrieved from. No access is assumed to system prompts, reasoning traces, retrievers, parameters, or internal policies.\"},{\"question\":\"How does KidnapRAG hijack the agent’s reasoning chain?\",\"answer\":\"KidnapRAG uses three role-specific documents—Bait, Chain-Link, and Mal-Ins—to progressively redirect retrieval intent across multiple reasoning steps. Bait induces follow-up queries into a rare domain, Chain-Link sustains the hijacked multistep reasoning during subsequent searches, and Mal-Ins provides attacker-controlled evidence.\"}]",1784181048,60,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"kidnaprag-a-black-box-attack-for-hijacking-reasoning-in-agentic-retrieval-augmented-generation-systems","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/kidnaprag-a-black-box-attack-for-hijacking-reasoning-in-agentic-retrieval-augmented-generation-systems/82513/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What makes Agentic RAG systems more robust than conventional RAG against poisoning attacks?","Question",{"text":75,"@type":76},"Agentic RAG iteratively performs retrieval, observation, reasoning, and actions, allowing it to compare retrieved evidence with its current reasoning state, discard weakly relevant information, and continue searching. This can prevent single-step poisoned documents from determining the final response.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"What is the black-box attacker capability assumed in KidnapRAG?",{"text":80,"@type":76},"The attacker can only publish externally retrievable poisoned documents to sources that the agent may be indexed and retrieved from. No access is assumed to system prompts, reasoning traces, retrievers, parameters, or internal policies.",{"name":82,"@type":73,"acceptedAnswer":83},"How does KidnapRAG hijack the agent’s reasoning chain?",{"text":84,"@type":76},"KidnapRAG uses three role-specific documents—Bait, Chain-Link, and Mal-Ins—to progressively redirect retrieval intent across multiple reasoning steps. Bait induces follow-up queries into a rare domain, Chain-Link sustains the hijacked multistep reasoning during subsequent searches, and Mal-Ins provides attacker-controlled evidence.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,109,114,119,122,127,130,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":28,"slug":108},5,"Comic","comic",{"id":110,"doc_module":4,"doc_module_name":45,"category_name":111,"show_sort_weight":112,"slug":113},6,"Technology",50,"technology",{"id":115,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":120,"slug":121},30,"research-report",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":125,"slug":126},9,"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]