[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-rag-systems-have-a-model-level-attack-problem":10,"sections":34},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":24,"tags":25,"sources":29,"feedback":33,"feedback_at":22,"cost_usd":33,"total_tokens":33},1642,"rag-systems-have-a-model-level-attack-problem","RAG Systems Have a Model-Level Attack Problem","Researchers show that open-source retrieval models can be directly edited to inject malicious knowledge into RAG pipelines, bypassing text-based defenses.","A new attack framework targets the retrieval model inside RAG systems — not the documents it searches.\n\nMost RAG injection research focuses on poisoning the knowledge base: craft a convincing fake document, get it indexed, hope the system retrieves it. Researchers behind CAREATTACK take a different route. Because many RAG deployments use open-source embedding models like Qwen3-Embedding-0.6B or BGE-M3, an attacker with access to those model weights can edit the parameters directly — promoting malicious passages to the top of retrieval results without touching the underlying corpus. The method runs in two stages: a graph-based conflict detection step resolves interference between parameter edits, and a calibration pass ensures non-target queries behave normally so the manipulation stays hidden.\n\nThe practical concern here is scope. Corpus-level attacks are increasingly detectable — synthetic text leaves fingerprints, and filter pipelines are catching up. Model-level edits are harder to spot because the retriever looks and behaves normally on every query except the targeted ones. If an attacker can distribute a subtly edited version of a popular open-source embedding model, every downstream RAG application built on it becomes a potential vector.\n\nThis sits alongside a growing body of work on supply-chain risk in open-source AI components — a problem the field has mostly treated as theoretical until experiments like this one make it concrete.","[\"security\",\"ai\",\"rag\",\"llm\"]","2026-06-18T04:00:00.000Z","2026-06-19T08:58:58.260Z","2026-06-19T08:58:59.904Z","published",null,[],"security",[24,26,27,28],"ai","rag","llm",[30],{"name":31,"url":32},"arXiv cs.AI","https:\u002F\u002Farxiv.org\u002Fabs\u002F2606.18310",0,{"sections":35},[36,40,43,48,53,58,63,68,72,76,81,86,91,96],{"name":37,"slug":26,"count":38,"latest_published_at":39},"AI",490,"2026-06-19T04:00:00.000Z",{"name":41,"slug":24,"count":42,"latest_published_at":39},"Security",132,{"name":44,"slug":45,"count":46,"latest_published_at":47},"Policy","policy",88,"2026-06-16T09:26:09.000Z",{"name":49,"slug":50,"count":51,"latest_published_at":52},"Consumer Tech","consumer-tech",78,"2026-06-16T17:58:24.000Z",{"name":54,"slug":55,"count":56,"latest_published_at":57},"Hardware","hardware",62,"2026-06-18T15:24:16.000Z",{"name":59,"slug":60,"count":61,"latest_published_at":62},"Software","software",58,"2026-06-16T20:00:00.000Z",{"name":64,"slug":65,"count":66,"latest_published_at":67},"Deals","deals",56,"2026-06-19T12:30:04.000Z",{"name":69,"slug":70,"count":71,"latest_published_at":39},"Dev Tools","dev-tools",50,{"name":73,"slug":74,"count":75,"latest_published_at":18},"Science","science",38,{"name":77,"slug":78,"count":79,"latest_published_at":80},"Gaming","gaming",31,"2026-06-16T15:25:13.000Z",{"name":82,"slug":83,"count":84,"latest_published_at":85},"General","general",26,"2026-06-13T18:35:15.000Z",{"name":87,"slug":88,"count":89,"latest_published_at":90},"Startups","startups",23,"2026-06-16T15:00:00.000Z",{"name":92,"slug":93,"count":94,"latest_published_at":95},"Reviews","reviews",19,"2026-06-14T08:00:00.000Z",{"name":97,"slug":98,"count":99,"latest_published_at":100},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]