Query-Efficient Agentic Graph Extraction Attacks on GraphRAG Systems

TL;DR

This paper introduces AGEA, a novel query-efficient black-box attack method that effectively reconstructs hidden knowledge graphs in GraphRAG systems, revealing significant vulnerabilities under limited query budgets.

Contribution

The paper presents AGEA, a new framework combining exploration, external memory, and filtering to efficiently extract knowledge graphs, outperforming prior attacks.

Findings

AGEA recovers up to 90% of entities and relationships.

AGEA outperforms prior attack baselines under the same query budgets.

Modern GraphRAG systems are highly vulnerable to structured extraction attacks.

Abstract

Graph-based retrieval-augmented generation (GraphRAG) systems construct knowledge graphs over document collections to support multi-hop reasoning. While prior work shows that GraphRAG responses may leak retrieved subgraphs, the feasibility of query-efficient reconstruction of the hidden graph structure remains unexplored under realistic query budgets. We study a budget-constrained black-box setting where an adversary adaptively queries the system to steal its latent entity-relation graph. We propose AGEA (Agentic Graph Extraction Attack), a framework that leverages a novelty-guided exploration-exploitation strategy, external graph memory modules, and a two-stage graph extraction pipeline combining lightweight discovery with LLM-based filtering. We evaluate AGEA on medical, agriculture, and literary datasets across Microsoft-GraphRAG and LightRAG systems. Under identical query budgets, AGEA significantly outperforms prior attack baselines, recovering up to 90% of entities and relationships while maintaining high precision. These results demonstrate that modern GraphRAG systems are highly vulnerable to structured, agentic extraction attacks, even under strict query limits. The code is available at https://github.com/shuashua0608/AGEA.