Retrieval-Augmented Generation (RAG) retrieves top-k passages from a corpus and feeds them to a Large language models (LLM). Anyone who can add a document, e.g., a Wikipedia editor or a review contributor, can potentially control the system’s output.
Poisoned RAG [1] showed N=5 coordinated documents achieves over 90% ASR.
Single-document follow-ups.
Corrupt RAG-AS [2] and AuthChain [3] improve over N=1 but leave a large gap to the upper bound.
Prior attacks only support the wrong answer. When the LLM’s parametric memory strongly favors the truth, it overrides the injected context. VENOM fixes this by also discrediting the correct answer inside the same passage — turning a knowledge conflict into a knowledge correction.