English

ADMIT: Few-shot Knowledge Poisoning Attacks on RAG-based Fact Checking

Computation and Language 2026-05-18 v2 Artificial Intelligence Cryptography and Security

Abstract

Knowledge poisoning poses a critical threat to Retrieval-Augmented Generation (RAG) systems by injecting adversarial content into knowledge bases, tricking Large Language Models (LLMs) into producing attacker-controlled outputs grounded in manipulated context. Prior work highlights LLMs' susceptibility to misleading or malicious retrieved content. However, real-world fact-checking scenarios are more challenging, as credible evidence typically dominates the retrieval pool. To investigate this problem, we extend knowledge poisoning to the fact-checking setting, where retrieved context includes authentic supporting or refuting evidence. We propose \textbf{ADMIT} (\textbf{AD}versarial \textbf{M}ulti-\textbf{I}njection \textbf{T}echnique), a few-shot, semantically aligned poisoning attack that flips fact-checking decisions and induces deceptive justifications, all without access to the target LLMs, retrievers, or token-level control. Extensive experiments show that ADMIT transfers effectively across 4 retrievers, 11 LLMs, and 4 cross-domain benchmarks, achieving an average attack success rate (ASR) of 86\% at an extremely low poisoning rate of 0.93×1060.93 \times 10^{-6}, and remaining robust even in the presence of strong counter-evidence. Compared with prior state-of-the-art attacks, ADMIT improves ASR by 11.2\% across all settings, exposing significant vulnerabilities in real-world RAG-based fact-checking systems.

Keywords

Cite

@article{arxiv.2510.13842,
  title  = {ADMIT: Few-shot Knowledge Poisoning Attacks on RAG-based Fact Checking},
  author = {Yutao Wu and Xiao Liu and Yinghui Li and Yifeng Gao and Yifan Ding and Jiale Ding and Xiang Zheng and Xingjun Ma},
  journal= {arXiv preprint arXiv:2510.13842},
  year   = {2026}
}
R2 v1 2026-07-01T06:39:32.666Z