Papers
Topics
Authors
Recent
Search
2000 character limit reached

LeakDojo: Decoding the Leakage Threats of RAG Systems

Published 7 May 2026 in cs.CR, cs.AI, and cs.CL | (2605.05818v1)

Abstract: Retrieval-Augmented Generation (RAG) enables LLMs to leverage external knowledge, but also exposes valuable RAG databases to leakage attacks. As RAG systems grow more complex and LLMs exhibit stronger instruction-following capabilities, existing studies fall short of systematically assessing RAG leakage risks. We present LeakDojo, a configurable framework for controlled evaluation of RAG leakage. Using LeakDojo, we benchmark six existing attacks across fourteen LLMs, four datasets, and diverse RAG systems. Our study reveals that (1) query generation and adversarial instructions contribute independently to leakage, with overall leakage well approximated by their product; (2) stronger instruction-following capability correlates with higher leakage risk; and (3) improvements in RAG faithfulness can introduce increased leakage risk. These findings provide actionable insights for understanding and mitigating RAG leakage in practice. Our codebase is available at https://github.com/yeasen-z/LeakDojo.

Summary

  • The paper's main contribution is the LeakDojo framework, which systematically benchmarks RAG leakage by isolating modular system components and attack strategies.
  • It empirically quantifies leakage risks across diverse attack strategies, showing significant correlations between instruction following and privacy vulnerabilities.
  • By exposing design pitfalls in rewriter, summarizer, and reranker modules, the work informs robust attack modeling and the development of adaptive defense mechanisms.

Systematic Analysis of Leakage Threats in Retrieval-Augmented Generation: The LeakDojo Framework

Introduction

"LeakDojo: Decoding the Leakage Threats of RAG Systems" (2605.05818) systematically investigates the privacy and security vulnerabilities of Retrieval-Augmented Generation (RAG) systems. The paper introduces LeakDojo, a modular, extensible benchmarking framework for controlled evaluations of RAG leakage, encompassing both modern system architectures and a broad adversarial attack surface. By isolating the contributions of query generation, adversarial instructions, and RAG architectural enhancements, the work empirically exposes critical trade-offs and design pitfalls that impact leakage risk and valuable insights for attack and defense strategies.

Leakage Threats in Contemporary RAG Systems

The cost of constructing high-value RAG knowledge bases for specialized domains incentivizes attackers to extract proprietary content via leakage attacks. The shift from simple retriever-based pipelines to complex multi-component RAG platformsโ€”incorporating rerankers, rewriters, and summarizersโ€”profoundly modifies both the attack surface and leakage dynamics. Figure 1

Figure 1: Modern RAG systems comprise retrievers, rerankers, rewriters, and summarizers, each impacting leakage pathways and risks.

Leakage stems from the disproportionate ease with which retrieved chunks, exposed to LLMs at inference, can be exfiltrated through prompt injection or instruction-following vulnerabilities. Prior work largely focuses on simplistic pipelines. This paper demonstrates that modern enhancements, while improving utility or faithfulness, open nuanced new pathways for information compromise.

LeakDojo: Model, Architecture, and Configurability

LeakDojo is structured to support fine-grained evaluations via the independent configuration of RAG system components, attack strategies, and defense mechanisms. Figure 2

Figure 2: LeakDojo models RAG leakage as an adversarial dynamic where attack and defense modules are independently configurable along the pipeline.

  • RAG System Modularization: Retrieval (embedding model, strategy, thresholds, k), re-ranking, rewriting, and summarization modules can be independently toggled and parameterized. This decomposition enables targeted, empirical isolation of how particular design choices modulate leakage dynamics.
  • Attack Flexibility: Attacks are abstracted into query generators (static or interactive) and adversarial instructions; these components can be freely combined, allowing the controlled study of their independent and joint effects.
  • Defense Integration: Modular defenses encompass input intent detectors and output content filters, deployed independently or jointly, for realistic evaluation against adaptive adversarial techniques.

Empirical Benchmarking: Attacks, Risks, and System Parameters

The experimental protocol benchmarks six representative attack strategies on 14 LLMs across four datasets, controlling for RAG system configurations (retriever only, plus reranker, plus rewriter, plus summarizer). Performance is assessed with four key metrics: Cumulative Chunk Leakage (CCL), Successful Leak Trigger (SLT), Adversarial Retrieval Coverage (ARC), and Chunk Recovery Rate (CRR).

  • Attack Results: No single attack dominates universally; attack efficacy is highly sensitive to the choice of LLM and dataset. For instance, PoR attains 88.3% CCL on Enron Email with Gemini-3-flash but only 6.8% CCL with DeepSeek-V3 for the same dataโ€”a strong demonstration of the importance of system-specific benchmarking.
  • Instruction-Following and Leakage Trade-off: A statistically significant positive correlation is observed between LLM instruction-following ability (measured by IFEval [zhou2023ifeval]) and leakage risk (SLT), evidenced by r=0.578r = 0.578, p=0.039p = 0.039 in Pearson analysis. Figure 3

    Figure 3: Increased instruction adherence in LLMs directly correlates with higher RAG leakage risk.

  • Attack Orthogonality: The effectiveness of query generation (ARC) and adversarial instruction (SLT) are largely independent; the empirical product SLTร—ARC\text{SLT} \times \text{ARC} closely predicts observed CCL values. Figure 4

    Figure 4: CCL is well explained by the product of SLT and ARC, confirming the orthogonal contributions of query and instruction components.

Architectural Enhancements: Effects on Utility and Security

The integration of RAG enhancement modules, while often motivated by improvements to retrieval quality or system utility, can unintentionally raise or lower leakage risk:

  • Rewriter: Consistently raises ARC and reduces its variance, effectively lowering the floor for successful leakage across poor queries.
  • Summarizer: Decreases both CCL (by reducing verbatim content exposure) and RAG faithfulness, impairing answer utility.
  • Reranker: Minimal effect on leakage metrics, implying that additional ranking without context rewriting or summarization does not meaningfully affect attack surface.

Notably, a strong positive correlation is observed between RAG faithfulness (system answer fidelity to context, via Ragas evaluation) and leakage, crystallizing the underlying utility-privacy tradeoff. Figure 5

Figure 5: As RAG faithfulness increases, so does CCL, highlighting a core trade-off between answer accuracy and privacy.

Attack Adaptivity and Defense Evasion

LeakDojo enables analysis of both legacy and adaptive attack techniques:

  • Modular defense strategies (intent detectors, output filters) are highly effective against standard explicit prompt-injection attacks, reducing observed CCL to <1%.
  • Novel adversarial instructions (RankerSet and CodeClaim)โ€”that embed exfiltration directives within logical or formatting tasksโ€”substantially bypass input intent detectors, achieving up to 59.6% CCL where the default attacks yield only 7.3%. This underscores the limitations of current defense formalisms and the potential for plausible deniability in instruction design.

Practical and Theoretical Implications

This work delivers actionable insights for practitioners:

  • System Design: Architectural choices that improve RAG system faithfulness or retrieval coverage must be audited for privacy risk, as enhancements may inadvertently raise leakage rates.
  • Attack Modeling: Security evaluations must jointly consider LLM instruction-following tendencies, attack adaptivity, and contextual use within enhanced RAG pipelines.
  • Defense: Input and output defenses must go beyond pattern-matching for explicit leakage directives. Stealthy, context-masked attacks can surpass naive filtering, suggesting the need for deeper intent analysis and holistic privacy auditing of both input and output.

Further, the decomposition of attack efficacy into orthogonal components suggests model-agnostic, modular avenues for both attack refinement and defense strategy development.

Future Directions

The findings motivate multiple future research axes for AI safety and secure RAG deployment:

  • Multilingual and Domain-General Risk: Extending leakage audits to non-English and low-resource domains, accounting for dataset- and language-specific retrieval/response patterns.
  • Robust Defense Mechanisms: Development of universal, context-aware defense systems that generalize across explicit and covert attack forms.
  • Long-term, Budget-Adapted Audits: Exploring adaptive attacks under extended interaction budgets, real-world deployment logging, and continuous risk monitoring.
  • Faithfulness-Privacy Trade-off Optimization: Exploration of new RAG design paradigms and LLM alignment protocols that balance answer faithfulness with quantifiable privacy guarantees.

Conclusion

LeakDojo operationalizes the systematic evaluation of leakage risks in RAG systems, establishing that both model-internal properties (instruction following) and architectural enhancements (rewriter, summarizer, reranker) are double-edged with respect to privacy and answer utility. The decomposition of attacks into orthogonal functional components, coupled with extensive empirical benchmarking, enables actionable risk assessment for both researchers and applied practitioners. The release of a modular, extensible leakage evaluation framework positions the community for more secure RAG deployments and robust, adaptive defense design.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.