GraphSteal: Structural Knowledge Stealing from Graph RAG via Traversal Reconstruction
Pith reviewed 2026-06-29 11:38 UTC · model grok-4.3
The pith
An adversary can reconstruct over 90 percent of a Graph RAG knowledge graph via adaptive black-box queries.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Graph RAG systems can be turned into structural oracles. Adaptive black-box interactions allow an adversary to reconstruct substantial portions of the hidden knowledge graph. Depth-Wise Heuristic Search extracts fine-grained node attributes by recursively expanding entity-centered evidence. Breadth-Wise Diffusion Search infers graph topology by propagating across relation-induced neighborhoods. Experiments recover over 90 percent of the original knowledge graph in generic and healthcare scenarios.
What carries the argument
The structure-oriented reconstruction framework that recovers targeted graphs from local and global perspectives using Depth-Wise Heuristic Search for node attributes and Breadth-Wise Diffusion Search for topology.
Load-bearing premise
Adaptive black-box queries will reliably draw out enough relational evidence for high-fidelity reconstruction without the system applying effective structural defenses.
What would settle it
A test in which a Graph RAG system with structural defenses limits reconstruction to well below 90 percent accuracy under the same query strategy.
Figures
read the original abstract
Retrieval-Augmented Generation (RAG) enhances LLMs by grounding generation in query-relevant external evidence. Beyond unstructured text corpora, Graph RAG integrates knowledge graphs into the retrieval pipeline, enabling LLMs to access entities, relations, and multi-hop dependencies encoded in structured knowledge. However, the same structured knowledge that empowers Graph RAG also creates a new privacy attack surface. We demonstrate that Graph RAG systems can be turned into structural oracles: through adaptive black-box interactions, an adversary can elicit sufficient relational evidence to reconstruct substantial portions of the hidden knowledge graph. We propose a structure-oriented reconstruction framework that recovers targeted graphs from both local and global perspectives. Specifically, Depth-Wise Heuristic Search extracts fine-grained node attributes by recursively expanding entity-centered evidence, while Breadth-Wise Diffusion Search infers graph topology by propagating across relation-induced neighborhoods. Experiments on generic and healthcare scenarios demonstrate that our method can recover over 90\% of the original knowledge graph from representative Graph RAG systems, revealing sensitive entities, relations, and structural dependencies with high fidelity. Existing guradrails provide limited defense against our attack, highlighting the inherent difficulty of safeguarding structural privacy in Graph RAG pipelines.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces GraphSteal, a structure-oriented reconstruction attack on black-box Graph RAG systems. It employs Depth-Wise Heuristic Search to recursively extract fine-grained node attributes and Breadth-Wise Diffusion Search to infer topology via relation-induced neighborhoods. The central claim is that these adaptive queries enable recovery of over 90% of the original knowledge graph (including entities, relations, and structural dependencies) in both generic and healthcare scenarios, while existing guardrails offer limited protection.
Significance. If the empirical results hold under realistic LLM summarization, the work identifies a previously under-explored privacy attack surface in Graph RAG pipelines. It supplies concrete, query-adaptive methods that achieve high-fidelity structural extraction and evaluates their effectiveness against deployed systems, which could motivate new structural privacy defenses in retrieval-augmented architectures.
major comments (2)
- [Abstract] Abstract: the central quantitative claim of >90% recovery is load-bearing for the contribution, yet the abstract (and the provided description of the framework) supplies no experimental details, baselines, error bars, dataset descriptions, or ablation studies. Without these, the fidelity of the reconstruction cannot be assessed.
- [Framework description] Framework (Depth-Wise Heuristic Search and Breadth-Wise Diffusion Search): the reconstruction success assumes Graph RAG responses return detailed, structured relational evidence (explicit entity-relation lists or raw triples). No analysis is given of how LLM-based summarization over retrieved subgraphs—which is standard in Graph RAG—could omit, condense, or distort topology and attributes, directly degrading reconstruction below the reported threshold.
minor comments (1)
- [Abstract] Abstract: 'guradrails' is a typo and should read 'guardrails'.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on the abstract and framework description. We provide point-by-point responses below and will revise the manuscript to address the concerns.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central quantitative claim of >90% recovery is load-bearing for the contribution, yet the abstract (and the provided description of the framework) supplies no experimental details, baselines, error bars, dataset descriptions, or ablation studies. Without these, the fidelity of the reconstruction cannot be assessed.
Authors: Abstracts are constrained by length and conventionally omit detailed experimental parameters such as error bars and ablations, which appear in Sections 4 and 5. To improve clarity we will add a concise sentence to the abstract noting the two evaluation scenarios (generic and healthcare) and the primary recovery metric. Full baselines, statistical details, and ablations will remain in the experimental sections. revision: partial
-
Referee: [Framework description] Framework (Depth-Wise Heuristic Search and Breadth-Wise Diffusion Search): the reconstruction success assumes Graph RAG responses return detailed, structured relational evidence (explicit entity-relation lists or raw triples). No analysis is given of how LLM-based summarization over retrieved subgraphs—which is standard in Graph RAG—could omit, condense, or distort topology and attributes, directly degrading reconstruction below the reported threshold.
Authors: All reported results were obtained from representative Graph RAG pipelines that apply standard LLM summarization to retrieved subgraphs. The >90% recovery figures therefore already reflect performance under realistic summarization. We will insert a short clarifying paragraph in the framework section stating that the attack was evaluated end-to-end on such systems and briefly discussing how more aggressive summarization could affect fidelity. revision: yes
Circularity Check
No circularity: empirical attack framework with no derivations or self-referential reductions
full rationale
The paper presents an attack method (Depth-Wise Heuristic Search and Breadth-Wise Diffusion Search) and reports experimental recovery rates >90% on Graph RAG systems. No equations, fitted parameters, uniqueness theorems, or self-citations appear in the abstract or described framework. The central claim rests on black-box query interactions and empirical results rather than any reduction to inputs by construction. This matches the default expectation of no significant circularity for an empirical security paper.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Available online at: https://physionet
Mimic-iv.PhysioNet. Available online at: https://physionet. org/content/mimiciv/1.0/(accessed August 23, 2021), pages 49–55. Jooyoung Lee, Thai Le, Jinghui Chen, and Dongwon Lee. 2023. Do language models plagiarize? In Proceedings of the ACM Web Conference 2023, pages 3637–3647. Jiale Liu, Jiahao Zhang, and Suhang Wang. 2025. Ex- posing privacy risks in g...
-
[2]
InFindings of the Association for Computational Linguistics ACL 2024, pages 2862–2883
Direct evaluation of chain-of-thought in multi- hop reasoning with knowledge graphs. InFindings of the Association for Computational Linguistics ACL 2024, pages 2862–2883. Shirui Pan, Linhao Luo, Yufei Wang, Chen Chen, Ji- apu Wang, and Xindong Wu. 2024. Unifying large language models and knowledge graphs: A roadmap. IEEE Transactions on Knowledge and Dat...
2024
-
[3]
Retrieval Augmentation Reduces Hal- lucination in Conversation,
Rascal: Calculation of graph similarity using maximum common edge subgraphs.The Computer Journal, 45(6):631–644. Kurt Shuster, Spencer Poff, Moya Chen, Douwe Kiela, and Jason Weston. 2021. Retrieval augmentation reduces hallucination in conversation.arXiv preprint arXiv:2104.07567. Jiashuo Sun, Chengjin Xu, Lumingyuan Tang, Saizhuo Wang, Chen Lin, Yeyun G...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.