MM-PoisonRAG: Disrupting Multimodal RAG with Local and Global Poisoning Attacks

TL;DR

This paper exposes vulnerabilities in multimodal retrieval-augmented generation models by demonstrating how targeted and broad knowledge poisoning attacks can significantly disrupt their factual accuracy and reasoning capabilities.

Contribution

The paper introduces MM-PoisonRAG, the first systematic framework for designing knowledge poisoning attacks on multimodal RAG models, including localized and globalized strategies.

Findings

Localized Poisoning Attack achieves up to 56% success rate.

Globalized Poisoning Attack can reduce model accuracy to 0%.

Attacks are effective across different models and access settings.

Abstract

Multimodal large language models with Retrieval Augmented Generation (RAG) have significantly advanced tasks such as multimodal question answering by grounding responses in external text and images. This grounding improves factuality, reduces hallucination, and extends reasoning beyond parametric knowledge. However, this reliance on external knowledge poses a critical yet underexplored safety risk: knowledge poisoning attacks, where adversaries deliberately inject adversarial multimodal content into external knowledge bases to steer model toward generating incorrect or even harmful responses. To expose such vulnerabilities, we propose MM-PoisonRAG, the first framework to systematically design knowledge poisoning in multimodal RAG. We introduce two complementary attack strategies: Localized Poisoning Attack (LPA), which implants targeted multimodal misinformation to manipulate specific queries, and Globalized Poisoning Attack (GPA), which inserts a single adversarial knowledge to broadly disrupt reasoning and induce nonsensical responses across all queries. Comprehensive experiments across tasks, models, and access settings show that LPA achieves targeted manipulation with attack success rates of up to 56%, while GPA completely disrupts model generation to 0% accuracy with just a single adversarial knowledge injection. Our results reveal the fragility of multimodal RAG and highlight the urgent need for defenses against knowledge poisoning.