Subgraph Reconstruction Attacks on Graph RAG Deployments with Practical Defenses

TL;DR

This paper introduces GRASP, a novel multi-turn attack method that effectively reconstructs subgraphs from Graph RAG systems despite safeguards, and proposes lightweight defenses to mitigate such privacy risks.

Contribution

The paper presents GRASP, a new closed-box, multi-turn subgraph reconstruction attack that overcomes existing safeguards and enhances privacy protection in Graph RAG deployments.

Findings

GRASP achieves up to 82.9 F1 in subgraph reconstruction.

Existing simple safeguards are largely ineffective against GRASP.

Two lightweight mitigations substantially reduce reconstruction fidelity.

Abstract

Graph-based retrieval-augmented generation (Graph RAG) is increasingly deployed to support LLM applications by augmenting user queries with structured knowledge retrieved from a knowledge graph. While Graph RAG improves relational reasoning, it introduces a largely understudied threat: adversaries can reconstruct subgraphs from a target RAG system's knowledge graph, enabling privacy inference and replication of curated knowledge assets. We show that existing attacks are largely ineffective against Graph RAG even with simple prompt-based safeguards, because these attacks expose explicit exfiltration intent and are therefore easily suppressed by lightweight safe prompts. We identify three technical challenges for practical Graph RAG extraction under realistic safeguards and introduce GRASP, a closed-box, multi-turn subgraph reconstruction attack. GRASP (i) reframes extraction as a context-processing task, (ii) enforces format-compliant, instance-grounded outputs via per-record identifiers to reduce hallucinations and preserve relational details, and (iii) diversifies goal-driven attack queries using a momentum-aware scheduler to operate within strict query budgets. Across two real-world knowledge graphs, four safety-aligned LLMs, and multiple Graph RAG frameworks, GRASP attains the strongest type-faithful reconstruction where prior methods fail, reaching up to 82.9 F1. We further evaluate defenses and propose two lightweight mitigations that substantially reduce reconstruction fidelity without utility loss.