- The paper's main contribution is the LeakDojo framework, which systematically benchmarks RAG leakage by isolating modular system components and attack strategies.
- It empirically quantifies leakage risks across diverse attack strategies, showing significant correlations between instruction following and privacy vulnerabilities.
- By exposing design pitfalls in rewriter, summarizer, and reranker modules, the work informs robust attack modeling and the development of adaptive defense mechanisms.
Systematic Analysis of Leakage Threats in Retrieval-Augmented Generation: The LeakDojo Framework
Introduction
"LeakDojo: Decoding the Leakage Threats of RAG Systems" (2605.05818) systematically investigates the privacy and security vulnerabilities of Retrieval-Augmented Generation (RAG) systems. The paper introduces LeakDojo, a modular, extensible benchmarking framework for controlled evaluations of RAG leakage, encompassing both modern system architectures and a broad adversarial attack surface. By isolating the contributions of query generation, adversarial instructions, and RAG architectural enhancements, the work empirically exposes critical trade-offs and design pitfalls that impact leakage risk and valuable insights for attack and defense strategies.
Leakage Threats in Contemporary RAG Systems
The cost of constructing high-value RAG knowledge bases for specialized domains incentivizes attackers to extract proprietary content via leakage attacks. The shift from simple retriever-based pipelines to complex multi-component RAG platformsโincorporating rerankers, rewriters, and summarizersโprofoundly modifies both the attack surface and leakage dynamics.
Figure 1: Modern RAG systems comprise retrievers, rerankers, rewriters, and summarizers, each impacting leakage pathways and risks.
Leakage stems from the disproportionate ease with which retrieved chunks, exposed to LLMs at inference, can be exfiltrated through prompt injection or instruction-following vulnerabilities. Prior work largely focuses on simplistic pipelines. This paper demonstrates that modern enhancements, while improving utility or faithfulness, open nuanced new pathways for information compromise.
LeakDojo: Model, Architecture, and Configurability
LeakDojo is structured to support fine-grained evaluations via the independent configuration of RAG system components, attack strategies, and defense mechanisms.
Figure 2: LeakDojo models RAG leakage as an adversarial dynamic where attack and defense modules are independently configurable along the pipeline.
- RAG System Modularization: Retrieval (embedding model, strategy, thresholds, k), re-ranking, rewriting, and summarization modules can be independently toggled and parameterized. This decomposition enables targeted, empirical isolation of how particular design choices modulate leakage dynamics.
- Attack Flexibility: Attacks are abstracted into query generators (static or interactive) and adversarial instructions; these components can be freely combined, allowing the controlled study of their independent and joint effects.
- Defense Integration: Modular defenses encompass input intent detectors and output content filters, deployed independently or jointly, for realistic evaluation against adaptive adversarial techniques.
Empirical Benchmarking: Attacks, Risks, and System Parameters
The experimental protocol benchmarks six representative attack strategies on 14 LLMs across four datasets, controlling for RAG system configurations (retriever only, plus reranker, plus rewriter, plus summarizer). Performance is assessed with four key metrics: Cumulative Chunk Leakage (CCL), Successful Leak Trigger (SLT), Adversarial Retrieval Coverage (ARC), and Chunk Recovery Rate (CRR).
- Attack Results: No single attack dominates universally; attack efficacy is highly sensitive to the choice of LLM and dataset. For instance, PoR attains 88.3% CCL on Enron Email with Gemini-3-flash but only 6.8% CCL with DeepSeek-V3 for the same dataโa strong demonstration of the importance of system-specific benchmarking.
- Instruction-Following and Leakage Trade-off: A statistically significant positive correlation is observed between LLM instruction-following ability (measured by IFEval [zhou2023ifeval]) and leakage risk (SLT), evidenced by r=0.578, p=0.039 in Pearson analysis.
Figure 3: Increased instruction adherence in LLMs directly correlates with higher RAG leakage risk.
- Attack Orthogonality: The effectiveness of query generation (ARC) and adversarial instruction (SLT) are largely independent; the empirical product SLTรARC closely predicts observed CCL values.
Figure 4: CCL is well explained by the product of SLT and ARC, confirming the orthogonal contributions of query and instruction components.
Architectural Enhancements: Effects on Utility and Security
The integration of RAG enhancement modules, while often motivated by improvements to retrieval quality or system utility, can unintentionally raise or lower leakage risk:
- Rewriter: Consistently raises ARC and reduces its variance, effectively lowering the floor for successful leakage across poor queries.
- Summarizer: Decreases both CCL (by reducing verbatim content exposure) and RAG faithfulness, impairing answer utility.
- Reranker: Minimal effect on leakage metrics, implying that additional ranking without context rewriting or summarization does not meaningfully affect attack surface.
Notably, a strong positive correlation is observed between RAG faithfulness (system answer fidelity to context, via Ragas evaluation) and leakage, crystallizing the underlying utility-privacy tradeoff.
Figure 5: As RAG faithfulness increases, so does CCL, highlighting a core trade-off between answer accuracy and privacy.
Attack Adaptivity and Defense Evasion
LeakDojo enables analysis of both legacy and adaptive attack techniques:
- Modular defense strategies (intent detectors, output filters) are highly effective against standard explicit prompt-injection attacks, reducing observed CCL to <1%.
- Novel adversarial instructions (RankerSet and CodeClaim)โthat embed exfiltration directives within logical or formatting tasksโsubstantially bypass input intent detectors, achieving up to 59.6% CCL where the default attacks yield only 7.3%. This underscores the limitations of current defense formalisms and the potential for plausible deniability in instruction design.
Practical and Theoretical Implications
This work delivers actionable insights for practitioners:
- System Design: Architectural choices that improve RAG system faithfulness or retrieval coverage must be audited for privacy risk, as enhancements may inadvertently raise leakage rates.
- Attack Modeling: Security evaluations must jointly consider LLM instruction-following tendencies, attack adaptivity, and contextual use within enhanced RAG pipelines.
- Defense: Input and output defenses must go beyond pattern-matching for explicit leakage directives. Stealthy, context-masked attacks can surpass naive filtering, suggesting the need for deeper intent analysis and holistic privacy auditing of both input and output.
Further, the decomposition of attack efficacy into orthogonal components suggests model-agnostic, modular avenues for both attack refinement and defense strategy development.
Future Directions
The findings motivate multiple future research axes for AI safety and secure RAG deployment:
- Multilingual and Domain-General Risk: Extending leakage audits to non-English and low-resource domains, accounting for dataset- and language-specific retrieval/response patterns.
- Robust Defense Mechanisms: Development of universal, context-aware defense systems that generalize across explicit and covert attack forms.
- Long-term, Budget-Adapted Audits: Exploring adaptive attacks under extended interaction budgets, real-world deployment logging, and continuous risk monitoring.
- Faithfulness-Privacy Trade-off Optimization: Exploration of new RAG design paradigms and LLM alignment protocols that balance answer faithfulness with quantifiable privacy guarantees.
Conclusion
LeakDojo operationalizes the systematic evaluation of leakage risks in RAG systems, establishing that both model-internal properties (instruction following) and architectural enhancements (rewriter, summarizer, reranker) are double-edged with respect to privacy and answer utility. The decomposition of attacks into orthogonal functional components, coupled with extensive empirical benchmarking, enables actionable risk assessment for both researchers and applied practitioners. The release of a modular, extensible leakage evaluation framework positions the community for more secure RAG deployments and robust, adaptive defense design.